[tommy_]

When running SysRestorePoint.exe I recieve the following error.
How should I proceed from here?
Thankyou.


Microsoft.Net Framework
"Unhandled exception has occurred in your application. If you click continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Exception from HRESULT:0x8000423F4

Details:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Runtime.InteropServices.COMException (0x800423F4): Exception from HRESULT: 0x800423F4
at Microsoft.VisualBasic.CompilerServices.LateBinding.LateGet(Object o, Type objType, String name, Object[] args, String[] paramnames, Boolean[] CopyBack)
at Microsoft.VisualBasic.CompilerServices.NewLateBinding.LateGet(Object Instance, Type Type, String MemberName, Object[] Arguments, String[] ArgumentNames, Type[] TypeArguments, Boolean[] CopyBack)
at SysRestorePoint.Module1.CreateRestorePoint()
at SysRestorePoint.Form1.Form1_Load(Object eventSender, EventArgs eventArgs)
at System.EventHandler.Invoke(Object sender, EventArgs e)
at System.Windows.Forms.Form.OnLoad(EventArgs e)
at System.Windows.Forms.Form.OnCreateControl()
at System.Windows.Forms.Control.CreateControl(Boolean fIgnoreVisible)
at System.Windows.Forms.Control.CreateControl()
at System.Windows.Forms.Control.WmShowWindow(Message& m)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ScrollableControl.WndProc(Message& m)
at System.Windows.Forms.ContainerControl.WndProc(Message& m)
at System.Windows.Forms.Form.WmShowWindow(Message& m)
at System.Windows.Forms.Form.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)


************** Loaded Assemblies **************
mscorlib
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
SysRestorePoint
Assembly Version: 1.3.0.0
Win32 Version: 1.3.0.0
CodeBase: file:///C:/Users/tommy/Downloads/SysRestorePoint.exe
----------------------------------------
Microsoft.VisualBasic
Assembly Version: 8.0.0.0
Win32 Version: 8.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.VisualBasic/8.0.0.0__b03f5f7f11d50a3a/Microsoft.VisualBasic.dll
----------------------------------------
System
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Windows.Forms
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System.Drawing
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Runtime.Remoting
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------
System.Configuration
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3053 (netfxsp.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
Assembly Version: 2.0.0.0
Win32 Version: 2.0.50727.3074 (QFE.050727-3000)
CodeBase: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

<configuration>
<system.windows.forms jitDebugging="true" />
</configuration>

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

[Advertisements]

Hi, tommy_

Welcome.

Lets take a look.

Please read and follow all these instructions very carefully.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
• Install the Recovery Console upon request.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

[JSntgRvr]

Hi, tommy_

Welcome.

Lets take a look.

Please read and follow all these instructions very carefully.

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
• Install the Recovery Console upon request.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything unless told to do so while we are fixing your problem.

[tommy_]

Thankyou for your reply J SntgRvr.

Here is the log from Malwarebyte's Anti-Malware.

--- File Start ---
Malwarebytes' Anti-Malware 1.39
Database version: 2468
Windows 6.0.6001 Service Pack 1

21/07/2009 3:58:30 PM
mbam-log-2009-07-21 (15-58-30).txt

Scan type: Quick Scan
Objects scanned: 85825
Time elapsed: 2 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
--- End of File ---


After following the Combofix instructions I do not recall being prompted to 'Install the Recovery Console'.

Combofix detected the following:
C:\Windows\system32\drivers\SKYNETbjbqetep.sys
C:\Windows\system32\SKYNETfrmcurhd.dll
C:\Windows\system32\SKYNETdceqiqsx.dat
C:\Windows\system32\SKYNETxtkvddxp.dll
C:\Windows\system32\SKYNETtbplqoxx.dat

Here is the ComboFix.txt log file:

--- Start of File ---
ComboFix 09-07-20.04 - tommy 21/07/2009 16:11.1.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.61.1033.18.3326.2449 [GMT 9.5:30]
Running from: c:\users\tommy\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-3719346066-1755772926-2078216697-1001
c:\$recycle.bin\S-1-5-21-51003140-4199384537-3980697693-500
c:\windows\system32\dc.exe
c:\windows\system32\drivers\SKYNETbjbqetep.sys
c:\windows\system32\SKYNETdceqiqsx.dat
c:\windows\system32\SKYNETfrmcurhd.dll
c:\windows\system32\SKYNETtbplqoxx.dat
c:\windows\system32\SKYNETxtkvddxp.dll
c:\windows\system32\wordpad.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETdpvcfxgi


((((((((((((((((((((((((( Files Created from 2009-06-21 to 2009-07-21 )))))))))))))))))))))))))))))))
.

2009-07-21 06:48 . 2009-07-21 06:49 -------- d-----w- c:\users\tommy\AppData\Local\temp
2009-07-21 06:48 . 2009-07-21 06:48 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-07-21 06:24 . 2009-07-13 04:06 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-21 06:24 . 2009-07-21 06:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-21 06:24 . 2009-07-13 04:06 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 07:57 . 2009-07-15 07:57 -------- d-----w- c:\programdata\id Software
2009-07-15 03:13 . 2009-06-15 15:24 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-07-15 03:13 . 2009-06-15 15:20 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-07-15 03:13 . 2009-06-15 15:20 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-07-15 03:13 . 2009-06-15 12:52 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-07-13 03:31 . 2009-07-13 03:31 625728 ----a-w- c:\programdata\id Software\QuakeLive\npquakezero.dll
2009-07-07 08:24 . 2009-07-07 08:24 -------- d-----w- c:\users\tommy\AppData\Roaming\SplashupLight.8F84E54D18819F0C71CA15FE192C56A89F17989F.1
2009-07-07 08:24 . 2009-07-07 08:24 -------- d-----w- c:\program files\Splashup Light
2009-07-07 03:37 . 2009-07-07 03:37 -------- d-----w- c:\programdata\WindowsSearch
2009-07-06 04:31 . 2009-07-06 04:31 2373712 ----a-w- c:\programdata\id Software\QuakeLive\pbsvc.exe
2009-07-05 07:51 . 2009-07-05 08:01 -------- d-----w- C:\Fraps
2009-07-04 07:43 . 2009-07-04 07:43 107196 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-27 04:20 . 2009-06-27 04:24 -------- d-----w- C:\Python25
2009-06-26 13:17 . 2009-06-27 04:30 -------- d-----w- c:\program files\Bethesda Softworks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-21 06:41 . 2008-12-03 07:36 16608 ----a-w- c:\windows\gdrv.sys
2009-07-21 06:40 . 2008-12-05 08:00 -------- d-----w- c:\users\tommy\AppData\Roaming\uTorrent
2009-07-21 06:05 . 2008-12-03 11:33 -------- d-----w- c:\program files\Steam
2009-07-20 14:21 . 2008-12-04 11:50 -------- d-----w- c:\users\tommy\AppData\Roaming\mIRC
2009-07-20 11:42 . 2008-12-04 12:11 -------- d-----w- c:\program files\mIRC
2009-07-19 14:47 . 2008-12-05 10:43 -------- d-----w- c:\program files\1
2009-07-19 10:43 . 2009-04-12 12:40 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-07-19 10:43 . 2009-01-14 10:26 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-07-15 16:37 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-07-15 07:57 . 2009-01-14 10:26 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-07-06 08:44 . 2009-05-23 14:38 -------- d-----w- c:\users\tommy\AppData\Roaming\Mumble
2009-07-03 05:00 . 2008-12-03 11:33 -------- d-----w- c:\program files\Common Files\Steam
2009-06-20 10:01 . 2008-12-03 07:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-15 12:01 . 2009-05-03 03:53 -------- d-----w- c:\programdata\Microsoft Help
2009-06-10 14:04 . 2008-12-04 13:14 -------- d-----w- c:\users\tommy\AppData\Roaming\Hamachi
2009-05-26 22:36 . 2008-12-03 07:35 59288 ----a-w- c:\users\tommy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-23 14:38 . 2009-05-23 14:38 -------- d-----w- c:\program files\Mumble
2009-05-19 12:23 . 2009-01-14 10:26 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-05-19 12:21 . 2009-01-14 10:26 22328 ----a-w- c:\users\tommy\AppData\Roaming\PnkBstrK.sys
2009-05-19 12:21 . 2009-01-14 10:26 22328 ----a-w- c:\users\tommy\AppData\Roaming\PnkBstrK.sys
2009-04-30 12:37 . 2009-06-14 19:25 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-04-30 12:37 . 2009-06-14 19:25 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-04-24 16:05 . 2009-06-10 22:29 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-10 22:29 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-10 22:29 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-10 22:29 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-10 22:29 636928 ----a-w- c:\windows\system32\localspl.dll
2009-06-13 04:27 . 2008-12-03 08:11 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2006-11-22 14:58 . 2006-11-22 14:58 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"InternodeUsage"="c:\progra~1\INTERN~2\mum.exe" [2008-11-30 1340416]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-18 125952]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"uTorrent"="c:\users\tommy\Downloads\utorrent.exe" [2009-03-21 270128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-18 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-18 1008184]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"DeathAdder"="c:\program files\Razer\DeathAdder\razerhid.exe" [2007-09-07 159744]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-03-19 2029640]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13687328]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 92704]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-05-07 6139904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^tommy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^hamachi.lnk]
path=c:\users\tommy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hamachi.lnk
backup=c:\windows\pss\hamachi.lnk.Startup
backupExtension=.Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{BD359CA7-0513-415B-BAA0-6C4A8DBD5438}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C9B8A0EA-23FF-4819-B287-2798EB87F421}"= UDP:c:\program files\RealVNC\VNC4\winvnc4.exe:VNC Server
"{D7C3DD93-4C97-4F4B-8D3C-506009328BD6}"= TCP:c:\program files\RealVNC\VNC4\winvnc4.exe:VNC Server
"{CA4B433C-C642-4CA9-A730-33D09EE3A8B4}"= UDP:c:\users\tommy\Downloads\utorrent.exe:µTorrent (TCP-In)
"{CA34896D-544B-4401-843D-D1BE7BB14952}"= TCP:c:\users\tommy\Downloads\utorrent.exe:µTorrent (UDP-In)
"{2566EF2B-ACD0-49B9-A9DE-9E3D70BFBE43}"= UDP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{B9ECEB68-1BA6-4414-B4BC-CF31EEAF9099}"= TCP:c:\windows\System32\PnkBstrA.exe:PnkBstrA
"{BC752B89-86FA-425B-9B5B-C67DA3C1E8E0}"= UDP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{286D9B7B-E398-456B-BCD9-C879824DA81A}"= TCP:c:\windows\System32\PnkBstrB.exe:PnkBstrB
"{76838CDA-0F0A-4C36-9C50-6163A501936B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E8665250-A262-462D-9898-A53587D75481}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{4F2570D6-5E91-4849-8BD6-A3692E9E1033}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{9CF6E3CE-714E-4291-B5C0-4F3E056FFE30}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{1AB3A555-E924-4C80-9744-92F40B49C43C}"= UDP:c:\program files\Steam\steamapps\common\world of goo demo\WorldOfGoo.exe:World of Goo Demo
"{52D73351-3464-40EB-B84B-E89146A704FA}"= TCP:c:\program files\Steam\steamapps\common\world of goo demo\WorldOfGoo.exe:World of Goo Demo
"{555F0E30-98D4-4525-A3A8-E28C84145075}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{42E5294B-2D97-4343-9961-91D2A8E16DE5}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{080E8B60-3938-4514-B5A4-EB9A1C30E555}"= UDP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead
"{6B9E27F1-504C-4B22-A5F6-BB9979AC18EC}"= TCP:c:\program files\Steam\steamapps\common\left 4 dead\left4dead.exe:Left 4 Dead

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Users\\tommy\\AppData\\Local\\Temp\\nscBFCE.tmp\\srchost.exe"= c:\users\tommy\AppData\Local\Temp\nscBFCE.tmp\srchost.exe:*:Enabled:@xpsp2res.dll,-22019

R1 ehdrv;ehdrv;c:\windows\System32\drivers\ehdrv.sys [19/03/2009 11:44 AM 107256]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [19/03/2009 11:44 AM 731840]
R2 epfwwfp;epfwwfp;c:\windows\System32\drivers\epfwwfp.sys [19/03/2009 11:45 AM 38240]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [3/12/2008 5:06 PM 80392]
R3 DAdderFltr;DeathAdder Mouse;c:\windows\System32\drivers\dadder.sys [10/12/2008 4:08 PM 22784]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {DBADD39B-2862-4D52-BC64-8DE643601EE9} = 192.168.1.254
FF - ProfilePath - c:\users\tommy\AppData\Roaming\Mozilla\Firefox\Profiles\g8lllwj0.default\
FF - prefs.js: browser.startup.homepage - www.google.com.au
FF - component: c:\users\tommy\AppData\Roaming\Mozilla\Firefox\Profiles\g8lllwj0.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - plugin: c:\programdata\id Software\QuakeLive\npquakezero.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-21 16:19
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-21 16:21
ComboFix-quarantined-files.txt 2009-07-21 06:50

Pre-Run: 82,460,524,544 bytes free
Post-Run: 82,413,404,160 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,3,4,6
176 --- E O F --- 2009-07-18 02:24
--- End of File ---


Thankyou for all your help so far,

Kind Regards,

Tom.

[JSntgRvr]

Hi, tommy_

After following the Combofix instructions I do not recall being prompted to 'Install the Recovery Console'.

This is not available in Windows Vista.

Lets scan for remnants:

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure the following is checked.
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives
    Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u14-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u14-windows-i586.exe and select "Run as an Administrator.")

[tommy_]

Thankyou again for your reply, JSntgRvr.

Here is the Kasperky Online Webscanner scan log:

--- Start of File ---
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 22, 2009
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 22, 2009 08:02:27
Records in database: 2511293
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Files scanned: 144176
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:04:26


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\Users\tommy\Downloads\mirc634.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Users\tommy\Downloads\mIRC_v6.33.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

The selected area was scanned.

--- End of File ---

Kind regards,

Tom.

[JSntgRvr]

Hi, tommy_

We can consider these finding false positives. All seems neutralized. How is the computer doing?

[tommy_]

The computer seems to be working fine.

Is there any other procedures that I should run the computer through regarding this infection, or are we all good as far as we can tell?

Thankyou again for helping me with this problem, it's good to see it fixed.

Kind regards,

Tom.

[JSntgRvr]

Hi, tommy_

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

To turn off Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK
9. When you have finished, restart the computer and follow the instructions in the next section to turn on System Restore.

To turn on Windows Vista System Restore:

1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Place a checkmark in the box for any drive you wish to enable System Restore on
7. Click OK

Graphic instructions:

http://www.bleepingc...utorial143.html

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix

• Click START then type CMD in the Search box.
• Press Ctrl+Shift+Enter to obtain an Administrator Command Prompt
• At the prompt type (Copy and Paste) the following and press Enter after each line (Combofix will launch only to uninstall):
  
  "c:\users\tommy\Desktop\ComboFix.exe" /u (Include the quotation marks). Note the space between the quotation mark and the /u, it needs to be there.
  
  
• Type Exit and Press Enter to return to Windows.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

• Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  
• AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  
• SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  
• ZonedOut + IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  
• ATF! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
• Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
• ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes!

[JSntgRvr]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.