JaffaCat

I will have a look at your recommendations, I have already downloaded and installed a number from your previous post. The laptop seems fine but I have found out that my HOSTS file has been corrupted, I will be replacing it with another one I have from a backup. Thank you for your time and patience in assisting in the removal of the malware. CHEERS.

I have now updated to XP Service pack 3 and created a new Restore point. I have also read this suggested post - So how did I get infected in the first place? I just have a few questions :- I have been using FF as a browser for sometime, I still got infected, is Opera or Safari a worthy browser ??. Is it worth clearing all the Temp folders, is there a command that will do all of these, including any hidden Temp folders ??. I'm using ZoneAlaram as a Firewall, should I change it to eg. 'Online Armor' or 'Outpost' ??. I've only used the laptop for a short time, and it does seem to be behaving itself.

I have now created a new Restore Point, also I have ran the Disk Cleanup routines. Is there anything outstanding I should run/do on the laptop ??.

Thanks for the information in relation to the quarantining by Avira AntiVir. I have done all the other tasks, but the instructions in relation to "Clear & Reset System Restore's Cache" doesn't follow what comes up as a the 'System Properties' window. All I have is a box to check/uncheck 'Turn off System Restore' All I can do is check it then click Apply, then uncheck and click Apply. Am I doing anything incorrectly or is there something else that I have missed ??.

Apologies this should have been the log :- Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4014 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 21/04/2010 09:24:55 mbam-log-2010-04-21 (09-24-55).txt Scan type: Quick scan Objects scanned: 123705 Time elapsed: 12 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AlwynHJ\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\AlwynHJ\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> Quarantined and deleted successfully. I did run it again as you asked, here is the log :- Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4014 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 21/04/2010 13:09:17 mbam-log-2010-04-21 (13-09-17).txt Scan type: Quick scan Objects scanned: 123756 Time elapsed: 10 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I also ran MBAM in "Full scan" by mistake which didn't result in any detections, but it did trigger Avira AntiVir to pop up a window 9 times, all items are now in quarantine. Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP537\A0102377.exe Action performed: Move file to quarantine. Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP537\A0102395.dll Action performed: Move file to quarantine. Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP539\A0103431.exe Action performed: Move file to quarantine. Virus or unwanted program 'TR/Agent.AO.1107 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP540\A0103488.exe Action performed: Move file to quarantine. Virus or unwanted program 'TR/CryptXPACK.Gen (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP540\A0103489.exe Action performed: Move file to quarantine. Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\System Volume Information\_restore{4C7BD312-7E61-4B1C-99F6-F2881B8CEE32}\RP542\A0105795.dll Action performed: Move file to quarantine. Virus or unwanted program 'TR/PCK.Katusha.J.1315 (trojan)' detected in file C:\Qoobox\Quarantine\C\Documents and Settings\AlwynHJ\Local Settings\Application Data\3743969374.dll.vir Action performed: Move file to quarantine. Virus or unwanted program 'TR/Agent.AO.1107 (trojan)' detected in file C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\grpconv.exe.vir Action performed: Move file to quarantine. Virus or unwanted program 'TR/CryptXPACK.Gen (trojan)' detected in file C:\Qoobox\Quarantine\C\WINDOWS\system32\wbem\proquota.exe.vir Action performed: Move file to quarantine.

Followed your instructions regarding MBAM and the log is attached :- Malwarebytes' Anti-Malware 1.45 www.malwarebytes.org Database version: 4014 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 21/04/2010 09:24:02 mbam-log-2010-04-21 (09-24-02).txt Scan type: Quick scan Objects scanned: 123705 Time elapsed: 12 minute(s), 26 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\AlwynHJ\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\AlwynHJ\Application Data\Adobe\Update\flacor.dat (Trojan.Agent) -> No action taken. mbam_log_2010_04_21__09_24_02_.txt

It finally took 2 goes to get it working, but it did finally go all the way through. STEP 04 Log is attached. Kaspersky_Log.txt

STEP 01 I have deleted the 3 exe's from the C drive. STEP 02 Created the "CFsript.txt" as mentioned above and dropped it into Combofix which ran OK in Normal mode. Here is the log :- ComboFix 10-04-17.07 - AlwynHJ 20/04/2010 8:50.3.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.310 [GMT 1:00] Running from: c:\documents and settings\AlwynHJ\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\AlwynHJ\Desktop\CFscript.txt AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} FILE :: "c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll . ((((((((((((((((((((((((( Files Created from 2010-03-20 to 2010-04-20 ))))))))))))))))))))))))))))))) . 2010-04-14 13:00 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe 2010-04-14 13:00 . 2004-08-04 07:56 39424 ----a-w- c:\windows\system32\grpconv.exe 2010-04-08 12:13 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-08 13:44 . 2010-04-08 13:46 95232 ----a-w- c:\windows\Internet Logs\xDB13.tmp 2010-04-08 13:44 . 2010-04-08 13:46 2363392 ----a-w- c:\windows\Internet Logs\xDB14.tmp 2010-04-07 20:27 . 2010-04-07 20:30 47104 ----a-w- c:\windows\Internet Logs\xDB12.tmp 2010-04-05 21:04 . 2010-04-06 17:45 812544 ----a-w- c:\windows\Internet Logs\xDB11.tmp 2010-04-05 10:17 . 2008-05-11 08:56 13567409 ----a-w- c:\windows\Internet Logs\tvDebug.zip 2010-03-30 19:35 . 2008-12-21 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-30 19:34 . 2009-03-26 16:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-30 14:17 . 2010-03-09 21:17 439816 ----a-w- c:\documents and settings\AlwynHJ\Application Data\Real\Update\setup3.10\setup.exe 2010-03-29 23:46 . 2008-12-21 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-29 23:45 . 2008-12-21 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-25 06:24 . 2006-06-23 18:33 916480 ------w- c:\windows\system32\wininet.dll 2010-02-13 21:49 . 2010-02-13 21:50 509440 ----a-w- c:\windows\Internet Logs\xDBF.tmp 2010-02-13 21:46 . 2010-02-13 21:50 2321408 ----a-w- c:\windows\Internet Logs\xDB10.tmp 2009-04-03 17:11 . 2007-10-26 20:55 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-22 919016] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-06 20531] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576] "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 185896] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-21 693520] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-26 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\system32\\drivers\\svchost.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [17/08/2009 22:20 64160] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 21:18 108289] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456] R3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21/04/2007 14:54 52080] S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [26/10/2007 02:01 33847] . Contents of the 'Scheduled Tasks' folder 2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:21] 2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ FF - ProfilePath - c:\documents and settings\AlwynHJ\Application Data\Mozilla\Firefox\Profiles\suf0kv29.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-20 08:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-796845957-842925246-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1104) c:\windows\system32\LgNotify.dll . Completion time: 2010-04-20 09:03:01 ComboFix-quarantined-files.txt 2010-04-20 08:02 ComboFix2.txt 2010-04-19 09:36 ComboFix3.txt 2010-04-14 13:27 Pre-Run: 12,867,764,224 bytes free Post-Run: 12,829,048,832 bytes free - - End Of File - - D237317C0F2CDEB7EC876007D35DB182 STEP 03 There were no Java entries in Control Panel option for Add or Remove Programs. I downloaded the latest as indicated and checked out that Temporary Internet Files was checked as requested. STEP 04 I can't get to an Internet connection at the moment, I will probably be able to do it in the next couple of hours time. Will post the required log when complete.

Combofix ran OK in Normal mode. Here it is :- ComboFix 10-04-17.07 - AlwynHJ 19/04/2010 10:19:57.2.1 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.252 [GMT 1:00] Running from: c:\documents and settings\AlwynHJ\Desktop\ComboFix.exe AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2010-03-19 to 2010-04-19 ))))))))))))))))))))))))))))))) . 2010-04-14 13:00 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe 2010-04-14 13:00 . 2004-08-04 07:56 39424 ----a-w- c:\windows\system32\grpconv.exe 2010-04-08 12:13 . 2010-02-12 10:03 293376 ------w- c:\windows\system32\browserchoice.exe 2010-04-07 23:15 . 2010-04-08 13:41 197120 --sha-w- c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll 2010-04-07 20:48 . 2010-03-29 23:46 1086856 ----a-w- C:\mbam.exe 2010-03-30 21:16 . 2010-03-30 21:16 225672 ----a-w- C:\CrucialUKScan.exe . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-08 13:44 . 2010-04-08 13:46 95232 ----a-w- c:\windows\Internet Logs\xDB13.tmp 2010-04-08 13:44 . 2010-04-08 13:46 2363392 ----a-w- c:\windows\Internet Logs\xDB14.tmp 2010-04-07 20:27 . 2010-04-07 20:30 47104 ----a-w- c:\windows\Internet Logs\xDB12.tmp 2010-04-05 21:04 . 2010-04-06 17:45 812544 ----a-w- c:\windows\Internet Logs\xDB11.tmp 2010-04-05 10:17 . 2008-05-11 08:56 13567409 ----a-w- c:\windows\Internet Logs\tvDebug.zip 2010-03-30 19:35 . 2008-12-21 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-30 19:34 . 2009-03-26 16:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-30 14:17 . 2010-03-09 21:17 439816 ----a-w- c:\documents and settings\AlwynHJ\Application Data\Real\Update\setup3.10\setup.exe 2010-03-29 23:46 . 2008-12-21 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-29 23:45 . 2008-12-21 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-25 06:24 . 2006-06-23 18:33 916480 ------w- c:\windows\system32\wininet.dll 2010-02-13 21:49 . 2010-02-13 21:50 509440 ----a-w- c:\windows\Internet Logs\xDBF.tmp 2010-02-13 21:46 . 2010-02-13 21:50 2321408 ----a-w- c:\windows\Internet Logs\xDB10.tmp 2010-01-20 00:18 . 2010-01-20 00:17 40233352 ----a-w- C:\zaSetup_91_007_002_en.exe 2009-04-03 17:11 . 2007-10-26 20:55 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-22 919016] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-06 20531] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576] "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 185896] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-21 693520] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-26 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\system32\\drivers\\svchost.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [17/08/2009 22:20 64160] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 21:18 108289] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456] R3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21/04/2007 14:54 52080] S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [26/10/2007 02:01 33847] . Contents of the 'Scheduled Tasks' folder 2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:21] 2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\AlwynHJ\Application Data\Mozilla\Firefox\Profiles\suf0kv29.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-19 10:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-796845957-842925246-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1108) c:\windows\system32\LgNotify.dll - - - - - - - > 'explorer.exe'(3404) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Avira\AntiVir Desktop\shlext.dll c:\program files\Malwarebytes' Anti-Malware\mbamext.dll c:\program files\Lavasoft\Ad-Aware\ShellExt.dll c:\progra~1\WINZIP\WZSHLSTB.DLL c:\program files\WinRAR\rarext.dll c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL c:\windows\system32\browselc.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\shdoclc.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll . Completion time: 2010-04-19 10:36:17 ComboFix-quarantined-files.txt 2010-04-19 09:35 ComboFix2.txt 2010-04-14 13:27 Pre-Run: 12,887,429,120 bytes free Post-Run: 12,867,383,296 bytes free - - End Of File - - 66EE42EE266E192A1FB116CF91AE826C

TDSSKiller.exe ran OK, didn't ask for a restart, and here's the log attached. TDSSKiller.2.2.8.1_16.04.2010_08.18.26_log.zip

I started running GMER in Normal mode and after about 20 minutes I had the Blue screen of death with the following message :- PFN_LIST_CORRUPT ****STOP 0x0000004E (0x00000007, 0x0001D34A, 0x00000001, 0x00000000) So I decided to run it in Safe mode, it ran OK but I couldn't get to the box to save the scan details. I rebooted into Normal mode and ran GMER again, after about 25 minutes another Blue screen of death with the following message :- PFN_LIST_CORRUPT ****STOP 0x0000004E (0x00000007, 0x00008680, 0x00000001, 0x00000000) Can you give assitance If I'm doing anything incorrectly ?.

An update to previous post, I clicked through the New window which said 'Open With' by choosing Cancel 3 times. Combofix was unable to install Microsoft Windows Recovery Console, as I couldn't get a Network connection. While in Safe mode I couldn't disable Anti-Vir and Lavasoft Ad-aware. Combofix carried on and re-booted in Normal mode, it took a while to create a log. Here it is :- ComboFix 10-04-13.03 - AlwynHJ 14/04/2010 13:52:50.1.1 - x86 NETWORK Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.337 [GMT 1:00] Running from: c:\documents and settings\AlwynHJ\Desktop\ComboFix.com AV: AntiVir Desktop *On-access scanning enabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\AlwynHJ\Application Data\wiaservg.log C:\Thumbs.db c:\windows\system32\muzapp.exe c:\windows\system32\wbem\grpconv.exe c:\windows\system32\wbem\proquota.exe c:\windows\system32\grpconv.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_npf ((((((((((((((((((((((((( Files Created from 2010-03-14 to 2010-04-14 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-08 13:41 . 2010-04-07 23:15 197120 --sha-w- c:\documents and settings\AlwynHJ\Local Settings\Application Data\3743969374.dll 2010-03-30 21:16 . 2010-03-30 21:16 225672 ----a-w- C:\CrucialUKScan.exe 2010-03-30 19:35 . 2008-12-21 20:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-03-30 19:34 . 2009-03-26 16:41 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-03-30 14:17 . 2010-03-09 21:17 439816 ----a-w- c:\documents and settings\AlwynHJ\Application Data\Real\Update\setup3.10\setup.exe 2010-03-29 23:46 . 2008-12-21 20:34 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-03-29 23:46 . 2010-04-07 20:48 1086856 ----a-w- C:\mbam.exe 2010-03-29 23:45 . 2008-12-21 20:34 20824 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-25 06:24 . 2006-06-23 18:33 916480 ----a-w- c:\windows\system32\wininet.dll 2010-02-12 10:03 . 2010-04-08 12:13 293376 ------w- c:\windows\system32\browserchoice.exe 2010-01-20 00:18 . 2010-01-20 00:17 40233352 ----a-w- C:\zaSetup_91_007_002_en.exe 2009-04-03 17:11 . 2007-10-26 20:55 40581152 --sha-w- c:\windows\system32\drivers\fidbox.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\MMonitor.exe" [2008-02-22 95536] "Getdo"="c:\documents and settings\AlwynHJ\Application Data\Adobe\Update\flacor.dat" [2010-04-08 99840] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880] "Apoint"="c:\program files\Apoint\Apoint.exe" [2003-08-21 151552] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2003-08-06 114741] "StorageGuard"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-02-13 155648] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-22 919016] "Client Access Service"="c:\program files\IBM\Client Access\cwbsvstr.exe" [2007-03-06 20531] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "OM2_Monitor"="c:\program files\OLYMPUS\OLYMPUS Master 2\FirstStart.exe" [2008-02-22 54576] "SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-09-20 132624] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-05-13 185896] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-13 177472] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153] "ZCfgSvc.exe"="c:\windows\system32\ZCfgSvc.exe" [2005-07-05 639040] "PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2005-06-27 135168] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-4-21 693520] WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2007-10-26 118784] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring] 2005-07-05 01:33 188482 ----a-w- c:\windows\system32\LgNotify.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) "DisableNotifications"= 1 (0x1) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "%windir%\\system32\\drivers\\svchost.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [17/08/2009 22:20 64160] R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/11/2009 21:18 108289] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456] R3 Start BT in service;Start BT in service;c:\program files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe [21/04/2007 14:54 52080] S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [26/10/2007 02:01 33847] . Contents of the 'Scheduled Tasks' folder 2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 22:21] 2010-04-03 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 11:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.co.uk/ uInternet Settings,ProxyOverride = *.local FF - ProfilePath - c:\documents and settings\AlwynHJ\Application Data\Mozilla\Firefox\Profiles\suf0kv29.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr ef", true); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", ""); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false); c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-14 14:07 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-796845957-842925246-854245398-1004\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1108) c:\windows\system32\LgNotify.dll - - - - - - - > 'explorer.exe'(1424) c:\windows\system32\WININET.dll c:\docume~1\AlwynHJ\LOCALS~1\Temp\23631764.nls c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\program files\Avira\AntiVir Desktop\shlext.dll c:\program files\Malwarebytes' Anti-Malware\mbamext.dll c:\program files\Lavasoft\Ad-Aware\ShellExt.dll c:\progra~1\WINZIP\WZSHLSTB.DLL c:\program files\WinRAR\rarext.dll c:\progra~1\MarkAny\CONTEN~1\MACSMA~1.DLL c:\windows\system32\browselc.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\shdoclc.dll c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\S24EvMon.exe c:\program files\Avira\AntiVir Desktop\avguard.exe c:\windows\system32\1XConfig.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\RegSrvc.exe c:\program files\RealVNC\VNC4\WinVNC4.exe c:\windows\System32\wbem\unsecapp.exe c:\windows\BCMSMMSG.exe c:\windows\system32\igfxsrvc.exe c:\program files\Apoint\Apntex.exe c:\program files\iPod\bin\iPodService.exe c:\program files\IVT Corporation\BlueSoleil\BlueSoleil VoIP Plugin.exe . ************************************************************************** . Completion time: 2010-04-14 14:27:21 - machine was rebooted ComboFix-quarantined-files.txt 2010-04-14 13:27 Pre-Run: 12,376,195,072 bytes free Post-Run: 13,001,560,064 bytes free - - End Of File - - 16A1D387C0492EFD23696C44F0C58BB0 I have also now been successful in installing 'Microsoft Windows Recovery Console' from the Windows XP CD.

I started the laptop in Safe Mode and tried to run Combofix, same thing happened as before, a New window opens to say 'Open With'. So I renamed it to combofix.com and ran it, it waited for a few seconds as if it was extracting, then the same New window opens to say 'Open With'. Does this mean that the malware has disabled the running of any .exes even in Safe mode ?? Thanks for replying so quickly.

Hi Thank you for replying. I can't get the laptop on the internet, so I saved and copied the Combofix via USB drive. I clicked the Icon on the Desktop and the .exe doesn't do anything and a New window opens to say 'Open With'. Does this mean that the malware has disabled the running of any .exes ?? What would be the next procedure ??

It's been longer than 48 hours, more like 96 hours +, and theres been no contact or reply to my post. Since posting the problem I haven't used the laptop due to the issues posted. I couldn't run my Anti-Vius (Avira) and Malwarebytes, I had to log the call via another PC. Should I be posting any other logs or running any other applications to assist with diagnosing problem ?.