[am-99]

Yeah I rebooted and deleted the old one and I did not rename it, but it still comes up with the same error message.

[Advertisements]

I have asked sUBs, the writer of ComboFix about this problem, and he is looking into it. So until he gets back to me, let's go about this a different way:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, DSS will open two Notepad files: main.txt and extra.txt
• Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download WinPFind35 Beta to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Regards,
RatHat

[RatHat]

I have asked sUBs, the writer of ComboFix about this problem, and he is looking into it. So until he gets back to me, let's go about this a different way:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, DSS will open two Notepad files: main.txt and extra.txt
• Use Save As to save both Notepad files to your Desktop and post them in your next reply.

Note: A copy of these files can be found in you root drive, usually C:\Deckard\System Scanner\

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download WinPFind35 Beta to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

• Close ALL OTHER PROGRAMS.
• Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
• Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Regards,
RatHat

[RatHat]

Hi there,

To help sUBs figure out what is going wrong in your case, could you run a small batch script:

• Open Notepad
• Copy the contents of the codebox below using CTRL C

@echo off
set >Log.txt
Dir /a %systemdrive%\ >>Log.txt
tasklist /svc >>Log.txt
Tasklist /v >>Log.txt
Notepad Log.txt
Del Log.txt
Del %0

• Now return to Notepad and use CTRL V to paste the script
• Verify that you have pasted the complete script
• Save the Notepad file to your Desktop as Script.cmd using Save as Type: All files
• Locate Script.cmd on your desktop
• Double click to run.

This will produce a Notepad file for you. Please copy and paste the contents into your next reply, along with the DSS logs, and WinPFind attachment.

Regards,
RatHat

[am-99]

The extra.txt document is below:

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Unable to create WMI object.

Architecture: X86; Language: English

Percentage of Memory in Use: 62%
Physical Memory (total/avail): 502.42 MiB / 187.41 MiB
Pagefile Memory (total/avail): 1474.5 MiB / 1169.12 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1945.13 MiB

C: is Fixed (NTFS) - 40.57 GiB total, 27.67 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
FirewallDisableNotify is set.

Unable to create WMI object.

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aman Minhas\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aman Minhas
LOGONSERVER=\\AMAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\COMMON~1\SONICS~1\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AMANMI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\AMANMI~1\LOCALS~1\Temp
USERDOMAIN=AMAN
USERNAME=Aman Minhas
USERPROFILE=C:\Documents and Settings\Aman Minhas
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Aman Minhas (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Common Files\aolshare\Coach\AolCInUn.exe" -lang="en-uk"
--> c:\apps\skype\phone\unins000.exe
--> C:\PROGRA~1\COMMON~1\AOL\ACS\AcsUninstall.exe /c
--> C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\INSTALL.LOG
--> C:\Program Files\Common Files\AOL\Screensaver\uninst_ygpss.exe
--> C:\Program Files\Common Files\aolshare\Aolunins_uk.exe
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\CONEXANT\CNXT_AUDIO\HXFSETUP.EXE -U -IQTAC00BA.INF
--> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_C00B1631\HXFSETUP.EXE -U -IQTAC00BM.INF
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\Program Files\Learn2.com\StRunner\stuninst.exe
--> C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
--> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\Setup.EXE" -uninstall
--> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support --> MsiExec.exe /I{967D588C-9B96-40C9-A222-DCD6922563CA}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Axara AudioConverter 1.8.5 --> "C:\Program Files\Axara\unins000.exe"
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
EPSON Attach To Email --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Easy Photo Print --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5DA7BC15-18D3-41A0-9F59-838DA3EAEF17}\SETUP.EXE" -l0x9 UNINST
EPSON File Manager --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Scan Assistant --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Web-To-Page --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\SETUP.EXE" -l0x9 -anything
ESD68 User's Guide --> C:\Program Files\EPSON\TPMANUAL\ESD68\USE_G\DOCUNINS.EXE
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
HijackThis 2.0.2 --> "C:\Downloads\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Internet Worm Protection --> MsiExec.exe /I{2908F0CB-C1D4-447F-97A2-CFC135C9F8D4}
iTunes --> MsiExec.exe /I{E0219810-16E4-437D-9165-93D7B22524F9}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate 3.1 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
NI LabVIEW Run-Time Engine 6.1 --> MsiExec.exe /I{CC8971B9-9132-4C04-A8D4-628663C9E9F0}
Norton AntiVirus --> MsiExec.exe /X{830D8CBD-C668-49e2-A969-C2C2106332E0}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{830D8CBD-C668-49e2-A969-C2C2106332E0}_14_0_0_89\{830D8CBD-C668-49e2-A969-C2C2106332E0}.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton AntiVirus Parent MSI --> MsiExec.exe /I{E5EE9939-259F-4DE2-8023-5C49E16A4F43}
Norton AntiVirus SYMLT MSI --> MsiExec.exe /I{D1FF75E7-DD42-4CFD-B052-20B3FFF4EDB8}
Norton Protection Center --> MsiExec.exe /I{9A129ABC-A53A-4209-A21E-D5DEDFB7CCA8}
Packard Bell Toolbar 1.0 --> "C:\Program Files\Dynamic Toolbar\unins000.exe"
PerfectDisk --> MsiExec.exe /I{C190CB55-817E-4713-84F4-0BBB8961CED9}
PodProducer Beta v0.26 --> C:\WINDOWS\iun6002.exe "C:\Program Files\PodProducer\irunin.ini"
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Sky Broadband --> MsiExec.exe /I{14C35072-D7D0-4B29-B5BF-C94E426D77E9}
Sonic MyDVD --> MsiExec.exe /I{21657574-BD54-48A2-9450-EB03B2C7FC29}
Sonic RecordNow! --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
SopCast 2.0.4 --> C:\Program Files\SopCast\uninst.exe
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Symantec --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type31408 / Error
Event Submitted/Written: 01/31/2008 00:33:02 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application otmoveit2.exe, version 1.0.16.0, faulting module unknown, version 0.0.0.0, fault address 0x100151b2.
Processing media-specific event for [otmoveit2.exe!ws!]

Event Record #/Type31250 / Error
Event Submitted/Written: 01/26/2008 11:29:20 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type31249 / Error
Event Submitted/Written: 01/26/2008 11:29:20 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type31248 / Error
Event Submitted/Written: 01/26/2008 11:29:20 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Event Record #/Type31247 / Error
Event Submitted/Written: 01/26/2008 11:29:20 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type59114 / Warning
Event Submitted/Written: 01/31/2008 04:13:12 PM
Event ID/Source: 1009 / Dhcp
Event Description:
A network error occurred when trying to send a message. The error code is: %%10004.

Event Record #/Type59113 / Warning
Event Submitted/Written: 01/31/2008 04:13:12 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CE0C8469. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type59112 / Warning
Event Submitted/Written: 01/31/2008 04:13:12 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CE0C8469. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type59103 / Warning
Event Submitted/Written: 01/31/2008 03:11:20 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CE0C8469. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type59102 / Warning
Event Submitted/Written: 01/31/2008 03:11:20 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0013CE0C8469. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-02-01 16:18:39 ------------

[am-99]

The main.txt document is:

Deckard's System Scanner v20071014.68
Run by Aman Minhas on 2008-02-01 16:15:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 503 MiB (512 MiB recommended).


-- HijackThis (run as Aman Minhas.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:16:25, on 01/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Apps\Powercinema\PCMService.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint2K\HidFind.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Aman Minhas\Desktop\dss.exe
C:\DOWNLO~1\Aman Minhas.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus D68 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE /P23 "EPSON Stylus D68 Series" /O6 "USB001" /M "Stylus D68"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-3522055779-2810222019-3162980227-1006\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.on...e/en/crlocx.ocx
O21 - SSODL: aswmklt - {912E9492-31E8-4E9B-A935-F4F19FEBC59D} - C:\WINDOWS\aswmklt.dll (file missing)
O21 - SSODL: bqxomdo - {AE923E84-5D4B-45B9-B2EF-ECC5A7C8CCFE} - C:\WINDOWS\bqxomdo.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 10697 bytes

-- HijackThis Fixed Entries (C:\DOWNLO~1\backups\) -----------------------------

backup-20080131-002732-207 O2 - BHO: SXG Advisor - {BC165164-78D0-4209-A878-8E6692C768FF} - C:\WINDOWS\dpvtporrdw.dll (file missing)
backup-20080131-002732-328 O21 - SSODL: bqxomdo - {EB6853C2-1721-4341-ACFC-633FC7F61988} - C:\WINDOWS\bqxomdo.dll
backup-20080131-002732-399 O21 - SSODL: aswmklt - {ADD206C1-5217-462F-A234-C63185E85452} - C:\WINDOWS\aswmklt.dll
backup-20080131-002732-549 O3 - Toolbar: The elfwgps - {5B22CFDE-D43C-4F5C-8F6D-A20C959B85F7} - C:\WINDOWS\elfwgps.dll (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 DMSKSSRh - c:\docume~1\amanmi~1\locals~1\temp\dmskssrh.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - c:\apps\powercinema\kernel\tv\clcapsvc.exe
2 CLSched (CyberLink Task Scheduler (CTS)) - c:\apps\powercinema\kernel\tv\clsched.exe
2 CyberLink Media Library Service - c:\program files\cyberlink\shared files\clml_ntservice\clmlserver.exe
2 GenericHidService (Generic Service for HID Keyboard Input Collections) - c:\apps\hidservice\hidservice.exe
2 LiveUpdate Notice Ex (LiveUpdate Notice Service Ex) - c:\program files\common files\symantec shared\ccsvchst.exe
2 LiveUpdate Notice Service - c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe
2 PDSched (PDScheduler) - c:\program files\raxco\perfectdisk\pdsched.exe
3 WmiApSrv (WMI Performance Adapter) - c:\windows\system32\wbem\wmiapsrv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2008-02-01 16:16:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-12-28 20:00:29 542 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Aman Minhas.job
2005-09-23 15:45:56 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job
2005-09-23 15:45:56 258 --a------ C:\WINDOWS\Tasks\Registration reminder 1.job


-- Files created between 2008-01-01 and 2008-02-01 -----------------------------

2008-01-30 20:03:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-30 20:03:23 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-30 19:45:57 0 d-------- C:\BFU
2008-01-27 19:07:34 0 d-------- C:\Program Files\Enigma Software Group
2008-01-26 13:23:45 4214 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-26 13:22:39 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-26 13:22:39 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-01-26 13:22:39 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-01-26 13:22:39 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-01-26 13:22:39 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-01-26 13:22:39 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-23 18:02:43 81920 --a------ C:\WINDOWS\fvqkfsp.exe
2008-01-20 22:59:06 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-01-20 22:59:03 0 d-------- C:\Program Files\PodProducer


-- Find3M Report ---------------------------------------------------------------

2008-01-30 19:41:49 0 d-------- C:\Program Files\Java
2008-01-30 19:38:51 0 d-------- C:\Program Files\BitComet
2008-01-25 16:59:21 280 --a------ C:\WINDOWS\system32\PDBootState
2008-01-25 16:46:39 0 d-------- C:\Program Files\Common Files
2008-01-24 01:01:10 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-01-04 20:57:47 0 d-------- C:\Program Files\DivX
2007-12-29 16:36:29 0 d-------- C:\Documents and Settings\Aman Minhas\Application Data\Adobe
2007-12-28 14:44:15 0 d-------- C:\Program Files\Common Files\AVSMedia
2007-12-28 14:44:11 0 d-------- C:\Program Files\AVS4YOU
2007-12-21 14:42:37 0 d-------- C:\Documents and Settings\Aman Minhas\Application Data\AVS4YOU
2007-12-14 18:18:05 0 d-------- C:\Program Files\MSN Messenger
2007-12-09 03:56:31 0 d-------- C:\Documents and Settings\Aman Minhas\Application Data\TVU Networks
2007-12-08 13:06:55 0 d-------- C:\Program Files\SopCast
2007-12-05 17:15:30 0 d-------- C:\Program Files\Symantec
2007-12-04 01:33:18 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:18 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-12-04 01:33:16 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-11-29 22:30:28 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-11-29 22:28:24 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-11-29 22:28:24 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-11-28 21:52:32 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [09/04/2004 15:10]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [25/04/2005 09:32]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [25/04/2005 09:29]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [25/04/2005 09:32]
"PCMService"="c:\Apps\Powercinema\PCMService.exe" [29/04/2005 08:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/06/2007 05:24]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [31/07/2005 14:49]
"EPSON Stylus D68 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.exe" [25/01/2005 04:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 11:09]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [09/01/2007 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [06/09/2006 01:22]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [31/07/2007 17:44]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [07/08/2007 00:05]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [28/11/2007 19:51]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 00:11]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe" [02/09/2006 23:36]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 13:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [15/07/2007 13:22]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"aswmklt"= {912E9492-31E8-4E9B-A935-F4F19FEBC59D} - C:\WINDOWS\aswmklt.dll [ ]
"bqxomdo"= {AE923E84-5D4B-45B9-B2EF-ECC5A7C8CCFE} - C:\WINDOWS\bqxomdo.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HdReg]
C:\APPS\HDREG\HDREGAPP.EXE -r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SECEDIT]
C:\Drivers\SECEDIT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
C:\Program Files\SpywareBot\SpywareBot.exe -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59e71252-0090-11dc-ac3d-00038a000015}]
AutoRun\command- E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d704b150-f7cf-11db-ac30-00038a000015}]
AutoRun\command- E:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-02-01 16:18:39 ------------

[am-99]

This is the WinPFind35u folder

 WinPFind35.Txt   111.36KB   108 downloads

[am-99]

Hi this is the Script.cmd file:

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aman Minhas\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=AMAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aman Minhas
LOGONSERVER=\\AMAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PROGRA~1\COMMON~1\SONICS~1\;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\AMANMI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\AMANMI~1\LOCALS~1\Temp
USERDOMAIN=AMAN
USERNAME=Aman Minhas
USERPROFILE=C:\Documents and Settings\Aman Minhas
windir=C:\WINDOWS
Volume in drive C is HDD
Volume Serial Number is 482D-CC1E

Directory of C:\

14/11/2006 22:35 <DIR> 59b859567d52e39ff8c7
31/07/2005 14:58 <DIR> APPS
30/01/2008 19:49 <DIR> BFU
25/01/2008 15:46 281 BOOT.INI
31/07/2005 14:39 <DIR> cmdcons
04/08/2004 13:00 260,272 cmldr
01/02/2008 16:14 <DIR> Deckard
31/07/2005 14:42 <DIR> DIVTOOLS
27/10/2005 19:42 <DIR> Documents and Settings
01/02/2008 16:16 <DIR> Downloads
23/09/2005 15:49 <DIR> DRIVERS
31/07/2005 14:09 6,109 DWNLOG.TXT
01/02/2008 15:54 526,897,152 hiberfil.sys
31/07/2005 14:22 <DIR> Intel
31/07/2005 14:38 0 IO.SYS
31/07/2005 14:42 896 IPH.PH
04/08/2004 13:00 388,608 kmd.exe
22/01/2007 17:02 7,350,159 MaxSecureDB.sdb
31/07/2005 14:38 0 MSDOS.SYS
27/10/2007 16:42 <DIR> MSOCache
31/07/2005 14:42 <DIR> My Music
04/08/2004 13:00 47,564 NTDETECT.COM
04/08/2004 13:00 250,032 ntldr
01/02/2008 15:54 1,052,770,304 pagefile.sys
31/07/2005 14:08 <DIR> PNP
27/01/2008 19:07 <DIR> Program Files
31/01/2008 15:09 1,349 rapport.txt
27/10/2005 19:39 <DIR> RECYCLER
31/07/2005 14:50 <DIR> Redist
21/07/2005 13:26 95 SAUDIT.TXT
28/01/2008 16:38 268 sqmdata00.sqm
28/01/2008 16:52 232 sqmdata01.sqm
30/01/2008 19:37 268 sqmdata02.sqm
28/01/2008 19:36 232 sqmdata03.sqm
30/01/2008 15:20 268 sqmdata04.sqm
30/01/2008 19:58 268 sqmdata05.sqm
31/01/2008 01:20 268 sqmdata06.sqm
31/01/2008 15:30 268 sqmdata07.sqm
31/01/2008 16:17 268 sqmdata08.sqm
01/02/2008 16:11 268 sqmdata09.sqm
26/01/2008 15:05 268 sqmdata10.sqm
26/01/2008 18:15 268 sqmdata11.sqm
26/01/2008 19:13 268 sqmdata12.sqm
26/01/2008 23:26 268 sqmdata13.sqm
27/01/2008 16:05 268 sqmdata14.sqm
27/01/2008 19:38 268 sqmdata15.sqm
27/01/2008 20:11 232 sqmdata16.sqm
27/01/2008 20:12 232 sqmdata17.sqm
27/01/2008 20:15 232 sqmdata18.sqm
27/01/2008 20:15 232 sqmdata19.sqm
28/01/2008 16:38 244 sqmnoopt00.sqm
28/01/2008 16:52 244 sqmnoopt01.sqm
30/01/2008 19:37 244 sqmnoopt02.sqm
28/01/2008 19:36 244 sqmnoopt03.sqm
30/01/2008 15:20 244 sqmnoopt04.sqm
30/01/2008 19:58 244 sqmnoopt05.sqm
31/01/2008 01:20 244 sqmnoopt06.sqm
31/01/2008 15:30 244 sqmnoopt07.sqm
31/01/2008 16:17 244 sqmnoopt08.sqm
01/02/2008 16:11 244 sqmnoopt09.sqm
26/01/2008 15:05 244 sqmnoopt10.sqm
26/01/2008 18:15 244 sqmnoopt11.sqm
26/01/2008 19:13 244 sqmnoopt12.sqm
26/01/2008 23:26 244 sqmnoopt13.sqm
27/01/2008 16:05 244 sqmnoopt14.sqm
27/01/2008 19:38 244 sqmnoopt15.sqm
27/01/2008 20:11 244 sqmnoopt16.sqm
27/01/2008 20:12 244 sqmnoopt17.sqm
27/01/2008 20:15 244 sqmnoopt18.sqm
27/01/2008 20:15 244 sqmnoopt19.sqm
23/09/2005 15:46 <DIR> System Volume Information
01/02/2008 16:15 <DIR> WINDOWS
07/04/2007 15:26 150 YServer.txt
31/01/2008 00:32 <DIR> _OTMoveIt
55 File(s) 1,587,982,995 bytes
19 Dir(s) 29,712,019,456 bytes free

[sUBs]

Hello Aman, it's unfortunate that the log isn't showing me why ComboFix is behaving erratically on your machine. So, I made you a special copy of ComboFix which may be downloaded from here ==> http://subs.geekstog...ta/ComboFix.exe

Running this copy won't solve your issues but it should produce a log of events that'll help me troubleshoot it. Please double click ComboFix.exe to run it. If you get the error message "You cannot rename ComboFix as ComboFix", it should also pop up a log of errors. Kindly post this log

[RatHat]

Hey Aman,

Please carry out sUBs request above, then continue with the fix below:

Start WinPFind35U. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Registry - Non-Microsoft Only]
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YN -> {912E9492-31E8-4E9B-A935-F4F19FEBC59D} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\aswmklt.dll [aswmklt]
YN -> {AE923E84-5D4B-45B9-B2EF-ECC5A7C8CCFE} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\bqxomdo.dll [bqxomdo]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 90 days]
YN -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
YN -> WS2Fix.exe -> %System32%\WS2Fix.exe
YN -> fvqkfsp.exe -> %SystemRoot%\fvqkfsp.exe
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

Let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run another online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop as Kaspersky.txt.
• Copy and paste that information in your next post.

Also, please let me know how your computer is behaving now.

Regards,
RatHat

[am-99]

This is the log I got from ComboFix:


C:\>prompt $

title .

color 17

set "cfldr=327882R2FWJFW"

set param_=

if defined param_ set param_==^

if defined param_ set param_= & &

cd /d "C:\"

if not exist "327882R2FWJFW" goto Abort

if exist "C:\DOCUME~1\AMANMI~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" del "C:\DOCUME~1\AMANMI~1\LOCALS~1\Temp\327882R2FWJFW327882R2FWJFW.log" 2>nul

"327882R2FWJFW\Nircmd.com" win close ititle "ComboFix"

copy /y/b/v C:\WINDOWS\system32\cmd.exe "327882R2FWJFW\kmd.exe" 1>nul 2>&1

For /F "tokens=*" %g in ("C:\Documents and Settings\Aman Minhas\Desktop\ComboFix.exe") do @(
set "FileName=%~ng"
set "FilePath=%~dpg"
)

If /I "C:\Documents and Settings\Aman Minhas\Desktop\" NEQ "C:\" If exist "C:\Documents and Settings\Aman Minhas\Desktop\kmd.exe" del "C:\Documents and Settings\Aman Minhas\Desktop\kmd.exe" 2>nul

If not defined FileName goto END

DIR /AD/B | C:\WINDOWS\System32\FindStr.exe -IVX ComboFix 1>dirname00

C:\WINDOWS\System32\FindStr.exe -LIXC:"ComboFix" dirname00 1>nul 2>&1 && call :NameChk

del /Q dirname0? 2>nul

If exist "ComboFix" DIR /AD "ComboFix" 1>nul 2>&1 && (
rd /s/q "ComboFix" 2>nul
If exist "ComboFix" (
pushd "327882R2FWJFW"
call pid.bat
popd
rd /s/q "ComboFix" 2>nul
)
If exist "ComboFix" (
"327882R2FWJFW\handle.cfexe" "C:\ComboFix" | "327882R2FWJFW\SED.cfexe" -r "/pid:/!d; s/.*: (.*): .*/\1/" 1>temp00
for /F "tokens=1,2" %g in (temp00) do @echo.y | "327882R2FWJFW\Handle.cfexe" -p %g -c %h 1>nul
del /q temp00 2>nul
rd /s/q "ComboFix" 2>nul
)
)

If exist "ComboFix" rd /s/q "ComboFix" 2>nul

If not exist "ComboFix" Ren "327882R2FWJFW" "ComboFix" 1>nul 2>&1

If exist "327882R2FWJFW" goto AbortB

del /Q dirname0? 2>nul

"327882R2FWJFW\nircmd.com" infobox "You cannot rename ComboFix as ComboFix~n~nPlease use another name" ""

cd
C:\

dir /a *
Volume in drive C is HDD
Volume Serial Number is 482D-CC1E

Directory of C:\

02/02/2008 15:04 <DIR> 327882R2FWJFW
14/11/2006 22:35 <DIR> 59b859567d52e39ff8c7
31/07/2005 14:58 <DIR> APPS
30/01/2008 19:49 <DIR> BFU
25/01/2008 15:46 281 BOOT.INI
02/02/2008 15:04 1,909 cflog.txt
31/07/2005 14:39 <DIR> cmdcons
04/08/2004 13:00 260,272 cmldr
01/02/2008 16:14 <DIR> Deckard
31/07/2005 14:42 <DIR> DIVTOOLS
27/10/2005 19:42 <DIR> Documents and Settings
01/02/2008 16:16 <DIR> Downloads
23/09/2005 15:49 <DIR> DRIVERS
31/07/2005 14:09 6,109 DWNLOG.TXT
02/02/2008 14:49 526,897,152 hiberfil.sys
31/07/2005 14:22 <DIR> Intel
31/07/2005 14:38 0 IO.SYS
31/07/2005 14:42 896 IPH.PH
04/08/2004 13:00 388,608 kmd.exe
22/01/2007 17:02 7,350,159 MaxSecureDB.sdb
31/07/2005 14:38 0 MSDOS.SYS
27/10/2007 16:42 <DIR> MSOCache
31/07/2005 14:42 <DIR> My Music
04/08/2004 13:00 47,564 NTDETECT.COM
04/08/2004 13:00 250,032 ntldr
02/02/2008 14:49 1,052,770,304 pagefile.sys
31/07/2005 14:08 <DIR> PNP
27/01/2008 19:07 <DIR> Program Files
31/01/2008 15:09 1,349 rapport.txt
27/10/2005 19:39 <DIR> RECYCLER
31/07/2005 14:50 <DIR> Redist
21/07/2005 13:26 95 SAUDIT.TXT
28/01/2008 16:38 268 sqmdata00.sqm
28/01/2008 16:52 232 sqmdata01.sqm
30/01/2008 19:37 268 sqmdata02.sqm
28/01/2008 19:36 232 sqmdata03.sqm
30/01/2008 15:20 268 sqmdata04.sqm
30/01/2008 19:58 268 sqmdata05.sqm
31/01/2008 01:20 268 sqmdata06.sqm
31/01/2008 15:30 268 sqmdata07.sqm
31/01/2008 16:17 268 sqmdata08.sqm
01/02/2008 16:11 268 sqmdata09.sqm
02/02/2008 14:59 268 sqmdata10.sqm
26/01/2008 18:15 268 sqmdata11.sqm
26/01/2008 19:13 268 sqmdata12.sqm
26/01/2008 23:26 268 sqmdata13.sqm
27/01/2008 16:05 268 sqmdata14.sqm
27/01/2008 19:38 268 sqmdata15.sqm
27/01/2008 20:11 232 sqmdata16.sqm
27/01/2008 20:12 232 sqmdata17.sqm
27/01/2008 20:15 232 sqmdata18.sqm
27/01/2008 20:15 232 sqmdata19.sqm
28/01/2008 16:38 244 sqmnoopt00.sqm
28/01/2008 16:52 244 sqmnoopt01.sqm
30/01/2008 19:37 244 sqmnoopt02.sqm
28/01/2008 19:36 244 sqmnoopt03.sqm
30/01/2008 15:20 244 sqmnoopt04.sqm
30/01/2008 19:58 244 sqmnoopt05.sqm
31/01/2008 01:20 244 sqmnoopt06.sqm
31/01/2008 15:30 244 sqmnoopt07.sqm
31/01/2008 16:17 244 sqmnoopt08.sqm
01/02/2008 16:11 244 sqmnoopt09.sqm
02/02/2008 14:59 244 sqmnoopt10.sqm
26/01/2008 18:15 244 sqmnoopt11.sqm
26/01/2008 19:13 244 sqmnoopt12.sqm
26/01/2008 23:26 244 sqmnoopt13.sqm
27/01/2008 16:05 244 sqmnoopt14.sqm
27/01/2008 19:38 244 sqmnoopt15.sqm
27/01/2008 20:11 244 sqmnoopt16.sqm
27/01/2008 20:12 244 sqmnoopt17.sqm
27/01/2008 20:15 244 sqmnoopt18.sqm
27/01/2008 20:15 244 sqmnoopt19.sqm
02/02/2008 13:07 2,940 Start_.cmd
23/09/2005 15:46 <DIR> System Volume Information
01/02/2008 16:15 <DIR> WINDOWS
07/04/2007 15:26 150 YServer.txt
31/01/2008 00:32 <DIR> _OTMoveIt
57 File(s) 1,587,987,844 bytes
20 Dir(s) 29,703,266,304 bytes free

If exist C:\cflog.txt start Notepad.exe C:\cflog.txt

goto END

del /a/f/q "C:\327882R2FWJFW" 2>nul

rd /s/q "C:\327882R2FWJFW" 2>nul

del "C:\Start_.cmd"

[am-99]

This is the log I get from the WinPFind35U:

[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\aswmklt deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{912E9492-31E8-4E9B-A935-F4F19FEBC59D}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\bqxomdo deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AE923E84-5D4B-45B9-B2EF-ECC5A7C8CCFE}\ deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}\ not found.
[Files/Folders - Created Within 90 days]
C:\WINDOWS\System32\WS2Fix.exe moved successfully.
C:\WINDOWS\fvqkfsp.exe moved successfully.
[Empty Temp Folders]
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
< End of fix log >
WinPFind35U Version Beta42 fix logfile created on 02022008_151053

[RatHat]

That's looking good, could you run the Kaspersky scan, and let me know how your machine is behaving now.

Regards,
RatHat

[sUBs]

I had another topic that look similar to yours. Problem appears to be Symantec/Norton. User rebooted to safe mode where Symantec wasn't active & ComboFix ran okay.

[am-99]

I did the kaspersky scan and it still found 2 viruses and 5 infected objects. The computer is running fairly slow, but it was quite slow before the virus as well. The report is below:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 02, 2008 4:39:26 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/02/2008
Kaspersky Anti-Virus database records: 545970
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62931
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 01:09:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\18895ABE.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\7A434F2D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\Aman Minhas\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Aman Minhas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Aman Minhas\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Aman Minhas\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aman Minhas\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Aman Minhas\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Aman Minhas\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Downloads\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP617\A0103894.exe Infected: Trojan-Downloader.Win32.Zlob.gkd skipped
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP622\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

[RatHat]

What Kaspersky is showing is false positives from Smitfraudfix, and a copy of Zlob in your system restore archives. So lets deal with them first!

Please double-click OTMoveIt2.exe to run it.
Click the Clean up button
Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
Click Yes to the reboot.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• UN-Check Turn off System Restore.
• Click Apply, and then click OK.

System Restore will now be active again.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now let's see if we can run Combofix.

Firstly, delete all versions that you have in your computer, then download a fresh version from Here, Here or Here to your Desktop.

DO NOT run Combofix yet. Reboot into safe mode. Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

When in Safe Mode, locate Combofix.exe on your desktop and double click it to run the program. Follow the prompts, then save the log it produces to your desktop as Combofix.txt

Reboot back into normal Windows and post me the contents of the Combofix log you have just saved.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Now regards the computer being slow. If you look at the DSS log in post 20, you will see that the amount of memory you have is low:

Total Physical Memory: 503 MiB (512 MiB recommended).

If you upgrade to a minimum of 1GB of RAM, you should see a marked improvement.

Regards,
RatHat