englishcitystone

Hi Kevin. All done, defragging now. AV is installed (I had to exit Trend Micro Titanium Max Security whilst running the scane as it was picking up false positives). I run several systems with T.M. and Antimalwarebytes and all of them have stayed clean as a whistle. So, is this the end of the journey? If so, thank you very much!

Here's the next log, I'll do the system restore flush now and await further instruction. Results of screen317's Security Check version 0.99.73 Windows Vista Service Pack 2 x86 (UAC is enabled) Internet Explorer 9 Internet Explorer 8 ``````````````Antivirus/Firewall Check:`````````````` Windows Firewall Enabled! WMI entry may not exist for antivirus; attempting automatic update. `````````Anti-malware/Other Utilities Check:````````` Malwarebytes Anti-Malware version 1.75.0.1300 CCleaner Java 6 Update 30 Java 6 Update 6 Java version out of Date! Adobe Flash Player 10 Flash Player out of Date! Adobe Reader 10.1.8 Adobe Reader out of Date! Google Chrome 29.0.1547.62 Google Chrome 29.0.1547.66 ````````Process Check: objlist.exe by Laurent```````` Trend Micro UniClient UiFrmWrk uiWatchDog.exe `````````````````System Health check````````````````` Total Fragmentation on Drive C: 8 % Defragment your hard drive soon! (Do NOT defrag if SSD!) ````````````````````End of Log``````````````````````

Date/Time,Threat,Source,Affected Files,Response,Detected By 12/09/2013 13:43,HEU_CDPLC024,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\uninstalllist.exe,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC016,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\flashx64.bat,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC024,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\Other\Copyright Information.txt,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC011,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\Other\swreg.exe,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC016,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\MSEx64.bat,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC024,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\Other\Update History.txt,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC016,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\SecurityCheck.bat,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC011,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\Objlist.exe,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC024,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\Other\cmdinfo.exe,Removed,Correlation Scan 12/09/2013 13:43,HEU_CDPLC024,Threat,C:\Users\Camille\AppData\Local\Temp\RarSFX0\SecurityCheck\runprocesses.exe,Removed,Correlation Scan

Hi Kevin. I was running Security Check after apparently disabling Trend Micro, when I turned back to look T.M. has found ten threats whilst the scan was in process, see log below. I stopped the scan...

Combofix.exe is on the desktop, but the instructions on how to delete it don't work, "Windows cannot find Combofix/Uninstall"...

Nothing obvious! How do we wind things up?

Latest log: Starting Repairs... Start (12/09/2013 09:06:41) 01 - Reset Registry Permissions 01/03 HKEY_CURRENT_USER & Sub Keys Start (12/09/2013 09:06:41) Running Repair Under Current User Account Done (12/09/2013 09:06:51) 01 - Reset Registry Permissions 02/03 HKEY_LOCAL_MACHINE & Sub Keys Start (12/09/2013 09:06:51) Running Repair Under System Account Done (12/09/2013 09:11:26) 01 - Reset Registry Permissions 03/03 HKEY_CLASSES_ROOT & Sub Keys Start (12/09/2013 09:11:26) Running Repair Under System Account Done (12/09/2013 09:12:01) 02 - Reset File Permissions 01/15 C:\AdwCleaner & Sub Folders Start (12/09/2013 09:12:01) Running Repair Under System Account Done (12/09/2013 09:12:06) 02 - Reset File Permissions 02/15 C:\Boot & Sub Folders Start (12/09/2013 09:12:06) Running Repair Under System Account Done (12/09/2013 09:12:08) 02 - Reset File Permissions 03/15 C:\FRST & Sub Folders Start (12/09/2013 09:12:08) Running Repair Under System Account Done (12/09/2013 09:12:10) 02 - Reset File Permissions 04/15 C:\Intel & Sub Folders Start (12/09/2013 09:12:10) Running Repair Under System Account Done (12/09/2013 09:12:13) 02 - Reset File Permissions 05/15 C:\MSOCache & Sub Folders Start (12/09/2013 09:12:13) Running Repair Under System Account Done (12/09/2013 09:12:15) 02 - Reset File Permissions 06/15 C:\PerfLogs & Sub Folders Start (12/09/2013 09:12:15) Running Repair Under System Account Done (12/09/2013 09:12:18) 02 - Reset File Permissions 07/15 C:\Program Files & Sub Folders Start (12/09/2013 09:12:18) Running Repair Under System Account Done (12/09/2013 09:14:29) 02 - Reset File Permissions 08/15 C:\ProgramData & Sub Folders Start (12/09/2013 09:14:29) Running Repair Under System Account Done (12/09/2013 09:14:57) 02 - Reset File Permissions 09/15 C:\Qoobox & Sub Folders Start (12/09/2013 09:14:57) Running Repair Under System Account Done (12/09/2013 09:14:59) 02 - Reset File Permissions 10/15 C:\RegBackup & Sub Folders Start (12/09/2013 09:14:59) Running Repair Under System Account Done (12/09/2013 09:15:02) 02 - Reset File Permissions 11/15 C:\TMRescueDisk & Sub Folders Start (12/09/2013 09:15:02) Running Repair Under System Account Done (12/09/2013 09:15:04) 02 - Reset File Permissions 12/15 C:\Toshiba & Sub Folders Start (12/09/2013 09:15:04) Running Repair Under System Account Done (12/09/2013 09:15:17) 02 - Reset File Permissions 13/15 C:\Windows & Sub Folders Start (12/09/2013 09:15:17) Running Repair Under System Account Done (12/09/2013 09:24:03) 02 - Reset File Permissions 14/15 C:\Works & Sub Folders Start (12/09/2013 09:24:03) Running Repair Under System Account Done (12/09/2013 09:24:18) 02 - Reset File Permissions 15/15 C:\_OTM & Sub Folders Start (12/09/2013 09:24:18) Running Repair Under System Account Done (12/09/2013 09:24:20) 02 - Reset File Permissions 01/05 E:\DIDI-JUNIOR & Sub Folders Start (12/09/2013 09:24:20) Running Repair Under System Account Done (12/09/2013 09:24:33) 02 - Reset File Permissions 02/05 E:\HDDRecovery & Sub Folders Start (12/09/2013 09:24:33) Running Repair Under System Account Done (12/09/2013 09:24:35) 02 - Reset File Permissions 03/05 E:\MSOCache & Sub Folders Start (12/09/2013 09:24:35) Running Repair Under System Account Done (12/09/2013 09:24:38) 02 - Reset File Permissions 04/05 E:\Music & Sub Folders Start (12/09/2013 09:24:38) Running Repair Under System Account Done (12/09/2013 09:25:05) 02 - Reset File Permissions 05/05 E:\Pictures & Sub Folders Start (12/09/2013 09:25:05) Running Repair Under System Account Done (12/09/2013 09:25:43) 02 - Reset File Permissions: Cleanup & Sub Folders Start (12/09/2013 09:25:43) Running Repair Under System Account Done (12/09/2013 09:25:47) 03 - Register System Files Start (12/09/2013 09:25:47) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:26:17) 04 - Repair WMI Start (12/09/2013 09:26:17) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:29:54) 05 - Repair Windows Firewall Start (12/09/2013 09:29:54) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:30:30) 06 - Repair Internet Explorer Start (12/09/2013 09:30:30) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:31:00) 07 - Repair MDAC/MS Jet Start (12/09/2013 09:31:00) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:31:22) 08 - Repair Hosts File Start (12/09/2013 09:31:22) Running Repair Under System Account Done (12/09/2013 09:31:24) 09 - Remove Policies Set By Infections Start (12/09/2013 09:31:24) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:31:29) 11 - Repair Icons Start (12/09/2013 09:31:29) Running Repair Under System Account Done (12/09/2013 09:31:31) 12 - Repair Winsock & DNS Cache Start (12/09/2013 09:31:31) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:31:44) 14 - Repair Proxy Settings Start (12/09/2013 09:31:44) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:31:49) 16 - Repair Windows Updates Start (12/09/2013 09:31:49) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:21) 17 - Repair CD/DVD Missing/Not Working Start (12/09/2013 09:32:21) Done (12/09/2013 09:32:21) 18 - Repair Volume Shadow Copy Service Start (12/09/2013 09:32:21) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:30) 20 - Repair MSI (Windows Installer) Start (12/09/2013 09:32:30) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:38) 22.01 - Repair bat Association Start (12/09/2013 09:32:38) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:43) 22.02 - Repair cmd Association Start (12/09/2013 09:32:43) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:48) 22.03 - Repair com Association Start (12/09/2013 09:32:48) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:53) 22.04 - Repair Directory Association Start (12/09/2013 09:32:53) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:32:57) 22.05 - Repair Drive Association Start (12/09/2013 09:32:57) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:02) 22.06 - Repair exe Association Start (12/09/2013 09:33:02) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:07) 22.07 - Repair Folder Association Start (12/09/2013 09:33:07) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:11) 22.08 - Repair inf Association Start (12/09/2013 09:33:11) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:16) 22.09 - Repair lnk (Shortcuts) Association Start (12/09/2013 09:33:16) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:21) 22.10 - Repair msc Association Start (12/09/2013 09:33:21) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:25) 22.11 - Repair reg Association Start (12/09/2013 09:33:25) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:30) 22.12 - Repair scr Association Start (12/09/2013 09:33:30) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:35) 23 - Repair Windows Safe Mode Start (12/09/2013 09:33:35) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:39) 24 - Repair Print Spooler Start (12/09/2013 09:33:39) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:33:52) 25 - Restore Important Windows Services Start (12/09/2013 09:33:52) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:34:01) 26 - Set Windows Services To Default Startup Start (12/09/2013 09:34:01) Running Repair Under Current User Account Running Repair Under System Account Done (12/09/2013 09:34:14) Cleaning up empty logs... All Selected Repairs Done. Done (12/09/2013 09:34:14) Total Repair Time: 00:27:33 ...YOU MUST RESTART YOUR SYSTEM... Running Repair Under Current User Account

Link: http://www.bleepingcomputer.com/forums/t/466657/windows-update-error-80096001/

Evening Kevin. I tried the instructions in post #2 (including all the manual instructions), but no joy, so I took a chance on the solution on the following page (post #2) and it worked first time. Hope this may be a useful resource for you! Do you have any other suggestion except to test the system and report?

Trouble installing Windows updates. There were 31 essential updates, 4 succeeded and the remainder failed. I tried installing a few individually, but they all failed : Code 80096001

Hi Kevin. Logs below. I am thinking that it would now be a good idea to install all the essential Windows updates and use the machine for a while. How does that sound? Also, I uninstalled AVG, but I have seen traces of it on many of the scans we've performed (and also Kaperski). Is there a way to completely remove these programs? or is there no need to do that? Many thanks for your help so far! All processes killed ========== FILES ========== File move failed. C:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe scheduled to be moved on reboot. C:\Users\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe moved successfully. < ipconfig /flushdns /c > Windows IP Configuration Successfully flushed the DNS Resolver Cache. C:\Users\Camille\Desktop\cmd.bat deleted successfully. C:\Users\Camille\Desktop\cmd.txt deleted successfully. ========== COMMANDS ========== [EMPTYTEMP] User: All Users User: Camille ->Temp folder emptied: 53718 bytes ->Temporary Internet Files folder emptied: 10910535 bytes ->Java cache emptied: 0 bytes ->Google Chrome cache emptied: 7932003 bytes ->Apple Safari cache emptied: 0 bytes ->Flash cache emptied: 1973520 bytes User: Default ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 67 bytes ->Flash cache emptied: 57472 bytes User: Default User ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 0 bytes ->Flash cache emptied: 0 bytes User: Guest ->Temp folder emptied: 0 bytes ->Temporary Internet Files folder emptied: 6118296 bytes ->Flash cache emptied: 601 bytes User: Public ->Temp folder emptied: 0 bytes %systemdrive% .tmp files removed: 0 bytes %systemroot% .tmp files removed: 0 bytes %systemroot%\System32 .tmp files removed: 0 bytes %systemroot%\System32\drivers .tmp files removed: 0 bytes Windows Temp folder emptied: 3020 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes RecycleBin emptied: 0 bytes Total Files Cleaned = 26.00 mb OTM by OldTimer - Version 3.1.21.0 log created on 09102013_210923 Files moved on Reboot... File C:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe not found! Registry entries deleted on Reboot... Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2013.09.10.10 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Camille :: DIDI-JUNIOR [administrator] 10/09/2013 21:14:59 mbam-log-2013-09-10 (21-14-59).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 256663 Time elapsed: 10 minute(s), 9 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

Hi Kevin. Logs as follows: ComboFix 13-09-09.04 - Camille 10/09/2013 14:38:02.2.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2939.1716 [GMT 1:00] Running from: c:\users\Camille\Desktop\ComboFix.exe Command switches used :: c:\users\Camille\Desktop\CFScript.txt AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82} SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F} SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((( Files Created from 2013-08-10 to 2013-09-10 ))))))))))))))))))))))))))))))) . . 2013-09-10 13:46 . 2013-09-10 13:46 -------- d-----w- c:\users\Guest\AppData\Local\temp 2013-09-10 13:46 . 2013-09-10 13:46 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-10 10:34 . 2013-09-10 13:46 -------- d-----w- c:\users\Camille\AppData\Local\temp 2013-09-10 08:44 . 2013-08-19 23:47 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10B501AF-3E45-4CA2-9BDA-A301831E1EBE}\mpengine.dll 2013-09-09 18:28 . 2013-09-09 18:31 -------- d-----w- C:\AdwCleaner 2013-09-09 14:08 . 2013-09-09 14:08 -------- d-----w- C:\FRST . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-09 10:23 . 2013-08-02 14:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-08-21 19:11 . 2012-09-04 15:47 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2013-08-07 03:22 . 2009-10-02 16:11 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-07-16 12:49 . 2012-04-09 18:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-07-16 12:49 . 2011-06-19 19:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-07-15 10:19 . 2011-05-11 16:26 4640768 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\spotify.exe 2013-07-15 10:19 . 2013-04-20 16:58 62464 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpotifyLauncher.exe 2013-07-15 10:19 . 2013-04-20 16:58 9964032 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\icudt.dll 2013-07-15 10:19 . 2013-04-20 16:58 24985600 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\libcef.dll 2013-07-15 10:19 . 2013-04-20 16:58 1104384 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe 2011-01-19 09:34 . 2011-01-19 09:34 2993152 ----a-w- c:\program files\openofficeorg33.msi . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904] "NDSTray.exe"="NDSTray.exe" [bU] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192] "Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480] "Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944] "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800] "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616] "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848] "IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] . c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216] . c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680] TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HsfXAudioService REG_MULTI_SZ HsfXAudioService . Contents of the 'Scheduled Tasks' folder . 2013-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 12:49] . 2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31] . 2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31] . 2013-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job - c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29] . 2013-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job - c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29] . . ------- Supplementary Scan ------- . uStart Page = https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1374234529&rver=6.1.6206.0&wp=MBI_KEY&wreply=https:%2F%2Fwww.outlook.com%2Fowa%2F&id=260563&whr=live.ucl.ac.uk&CBCXT=out uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 0.0.0.0 . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-09-10 14:46 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . Completion time: 2013-09-10 14:47:55 ComboFix-quarantined-files.txt 2013-09-10 13:47 ComboFix2.txt 2013-09-10 10:43 . Pre-Run: 60,927,221,760 bytes free Post-Run: 60,950,757,376 bytes free . - - End Of File - - 4EB5911DF0FC1E787554CF65B2A37C50 5C616939100B85E558DA92B899A0FC36 ESET SCAN: C:\Documents and Settings\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe a variant of Win32/Injector.ALMX trojan C:\FRST\Quarantine\bhgeftl.dat a variant of Win32/Kryptik.BJMV trojan C:\FRST\Quarantine\ehgdiqumxfxbnrjtckf.bfg a variant of Win32/Injector.ALMX trojan C:\Users\Camille\AppData\Roaming\Adobe\AIR\ELS\BBCiPlayerDesktop.61DB7A798358575D6A969CCD73DDBBD723A6DA9D.1\APSPrivateData2\0\Resources\SceKEbCUuLjmo3f2edzwQo8KDIh8=\ODY2RDI5RkItNjNEOS0zQTAwLUEyNkEtRkY5NjM5NTMxNzVF\net.exe a variant of Win32/Injector.ALMX trojan

Hi Kevin. Logs below. I am still being prompted to shut down the machine and install new Windows updates. Also, web pages are taking a long time to load and sometimes only partially load. It took three refresh attempts to get this page to display in its entirety. Thanks Keving. FYI - I had to uninstall AVG free prior to running ComboFix as the program was still saying AVG was active afterf I'd tried to disable it. Fix result of Farbar Recovery Tool (FRST written by Farbar) (x86) Version: 09-09-2013 Ran by Camille at 2013-09-10 09:03:03 Run:2 Running from C:\Users\Camille\Desktop Boot Mode: Normal ============================================== Content of fixlist: ***************** Start C:\Users\Camille\AppData\Local\Temp\Quarantine.exe end ***************** C:\Users\Camille\AppData\Local\Temp\Quarantine.exe => Moved successfully. ==== End of Fixlog ==== ComboFix 13-09-09.04 - Camille 10/09/2013 11:24:51.1.2 - x86 Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2939.2274 [GMT 1:00] Running from: c:\users\Camille\Desktop\ComboFix.exe AV: AVG Anti-Virus Free *Disabled/Updated* {0C939084-9E57-CBDB-EA61-0B0C7F62AF82} SP: AVG Anti-Virus Free *Disabled/Updated* {B7F27160-B86D-C455-D0D1-307E04E5E53F} SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . c:\program files\Setup.exe c:\users\Camille\Documents\~WRL1132.tmp c:\users\Camille\Documents\~WRL2332.tmp c:\windows\$NtUninstallKB45717$ c:\windows\$NtUninstallKB45717$\1963827381 c:\windows\$NtUninstallKB45717$\2433164178\@ c:\windows\$NtUninstallKB45717$\2433164178\bckfg.tmp c:\windows\$NtUninstallKB45717$\2433164178\cfg.ini c:\windows\$NtUninstallKB45717$\2433164178\Desktop.ini c:\windows\$NtUninstallKB45717$\2433164178\keywords c:\windows\$NtUninstallKB45717$\2433164178\kwrd.dll c:\windows\$NtUninstallKB45717$\2433164178\L\qnbwvoto c:\windows\$NtUninstallKB45717$\2433164178\U\00000001.@ c:\windows\$NtUninstallKB45717$\2433164178\U\00000002.@ c:\windows\$NtUninstallKB45717$\2433164178\U\00000004.@ c:\windows\$NtUninstallKB45717$\2433164178\U\80000000.@ c:\windows\$NtUninstallKB45717$\2433164178\U\80000004.@ c:\windows\$NtUninstallKB45717$\2433164178\U\80000032.@ c:\windows\system32\pt c:\windows\system32\pt\toscdspd.cpl.mui . . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . . -------\Service_AMService . . ((((((((((((((((((((((((( Files Created from 2013-08-10 to 2013-09-10 ))))))))))))))))))))))))))))))) . . 2013-09-10 10:35 . 2013-09-10 10:35 -------- d-----w- c:\users\Default\AppData\Local\temp 2013-09-10 10:34 . 2013-09-10 10:39 -------- d-----w- c:\users\Camille\AppData\Local\temp 2013-09-10 10:34 . 2013-09-10 10:34 -------- d-----w- c:\users\Guest\AppData\Local\temp 2013-09-10 08:44 . 2013-08-19 23:47 7166848 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{10B501AF-3E45-4CA2-9BDA-A301831E1EBE}\mpengine.dll 2013-09-09 18:28 . 2013-09-09 18:31 -------- d-----w- C:\AdwCleaner 2013-09-09 14:08 . 2013-09-09 14:08 -------- d-----w- C:\FRST . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2013-09-09 10:23 . 2013-08-02 14:41 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2013-08-21 19:11 . 2012-09-04 15:47 37664 ----a-w- c:\windows\system32\drivers\avgtpx86.sys 2013-08-07 03:22 . 2009-10-02 16:11 238872 ------w- c:\windows\system32\MpSigStub.exe 2013-07-16 12:49 . 2012-04-09 18:14 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2013-07-16 12:49 . 2011-06-19 19:48 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2013-07-15 10:19 . 2011-05-11 16:26 4640768 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\spotify.exe 2013-07-15 10:19 . 2013-04-20 16:58 62464 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SpotifyLauncher.exe 2013-07-15 10:19 . 2013-04-20 16:58 9964032 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\icudt.dll 2013-07-15 10:19 . 2013-04-20 16:58 24985600 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\libcef.dll 2013-07-15 10:19 . 2013-04-20 16:58 1104384 ----a-w- c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Data\SpotifyWebHelper.exe 2011-01-19 09:34 . 2011-01-19 09:34 2993152 ----a-w- c:\program files\openofficeorg33.msi . . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904] "NDSTray.exe"="NDSTray.exe" [bU] "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-06-24 30192] "Google EULA Launcher"="c:\program files\Google\Google EULA\GoogleEULALauncher.exe" [2008-05-28 20480] "Toshiba TEMPO"="c:\program files\Toshiba TEMPRO\Toshiba.Tempo.UI.TrayApplication.exe" [2008-04-24 103824] "topi"="c:\program files\TOSHIBA\Toshiba Online Product Information\topi.exe" [2007-07-10 581632] "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-06-25 150040] "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-06-25 170520] "Persistence"="c:\windows\system32\igfxpers.exe" [2008-06-25 145944] "RtHDVCpl"="RtHDVCpl.exe" [2008-04-08 6037504] "TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2008-01-17 431456] "SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2008-06-24 509816] "00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2008-05-09 716800] "Toshiba Registration"="c:\program files\Toshiba\Registration\ToshibaRegistration.exe" [2008-01-11 574864] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-11-28 59280] "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2010-07-25 2569616] "CanonSolutionMenuEx"="c:\program files\Canon\Solution Menu EX\CNSEMAIN.EXE" [2010-09-14 1213848] "IJNetworkScannerSelectorEX"="c:\program files\Canon\IJ Network Scanner Selector EX\CNMNSST.exe" [2010-09-09 452016] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-18 421888] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-12-12 152544] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576] . c:\users\Guest\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216] . c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE /tsr [2009-2-26 97680] TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216] . c:\users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ TRDCReminder.lnk - c:\program files\TOSHIBA\TRDCReminder\TRDCReminder.exe [2008-3-5 393216] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLUA"= 0 (0x0) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc] @="Service" . [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware] "DisableMonitoring"=dword:00000001 . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache HsfXAudioService REG_MULTI_SZ HsfXAudioService . Contents of the 'Scheduled Tasks' folder . 2013-09-10 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-09 12:49] . 2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31] . 2013-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2010-02-03 19:31] . 2013-09-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000Core.job - c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29] . 2013-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3611875381-1350613575-1696103304-1000UA.job - c:\users\Camille\AppData\Local\Google\Update\GoogleUpdate.exe [2011-12-11 19:29] . . ------- Supplementary Scan ------- . uStart Page = https://login.microsoftonline.com/login.srf?wa=wsignin1.0&rpsnv=2&ct=1374234529&rver=6.1.6206.0&wp=MBI_KEY&wreply=https:%2F%2Fwww.outlook.com%2Fowa%2F&id=260563&whr=live.ucl.ac.uk&CBCXT=out uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 TCP: DhcpNameServer = 192.168.1.1 0.0.0.0 . - - - - ORPHANS REMOVED - - - - . URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file) Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKCU-Run-TOSCDSPD - TOSCDSPD.EXE HKLM-Run-cfFncEnabler.exe - cfFncEnabler.exe c:\users\Camille\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Audible Download Manager.lnk - c:\program files\Audible\Bin\AudibleDownloadHelper.exe /Startup SafeBoot-WudfPf SafeBoot-WudfRd . . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2013-09-10 11:40 Windows 6.0.6002 Service Pack 2 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings] @Denied: (A) (Users) @Denied: (A) (Everyone) @Allowed: (B 1 2 3 4 5) (S-1-5-20) "BlindDial"=dword:00000000 . ------------------------ Other Running Processes ------------------------ . c:\windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe c:\windows\system32\WLANExt.exe c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe c:\program files\Toshiba TEMPRO\TempoSVC.exe c:\program files\TOSHIBA\TOSHIBA DVD PLAYER\TNaviSrv.exe c:\windows\system32\TODDSrv.exe c:\program files\TOSHIBA\Power Saver\TosCoSrv.exe c:\program files\TOSHIBA\SMARTLogService\TosIPCSrv.exe c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe c:\windows\system32\DRIVERS\xaudio.exe c:\program files\TOSHIBA\ConfigFree\NDSTray.exe c:\windows\RtHDVCpl.exe c:\program files\TOSHIBA\TOSCDSPD\TOSCDSPD.exe c:\windows\system32\igfxsrvc.exe c:\program files\iPod\bin\iPodService.exe c:\windows\system32\igfxext.exe c:\program files\Windows Media Player\wmpnscfg.exe c:\program files\Windows Media Player\wmpnetwk.exe . ************************************************************************** . Completion time: 2013-09-10 11:43:41 - machine was rebooted ComboFix-quarantined-files.txt 2013-09-10 10:43 . Pre-Run: 60,890,783,744 bytes free Post-Run: 61,106,462,720 bytes free . - - End Of File - - 583CDCBA98873033B42027E7FBF4DB9E 5C616939100B85E558DA92B899A0FC36

Same error message followed by notification that the machine is infected with Rootkit.zeroaccess in tcp/ip stack. Logs to follow once sorted and internet connection re-established.

And now there's a Windows error message: "Freeware implementation of XCACLS has stopped working". I have closed the window and trust the scan is still working!