[Render]

Since when? You see the messages in Inbox but you can't read them when you click on message?

Are you using a router? If yes try to reset it.

This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router. Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).

[Advertisements]

Both PCs and the USB stick were already vaccinated with Panda.

I've been unable to open my hotmail messages since this morning. I've switched the router off and on again, but it makes no difference. The working computer is on the same router, and we can open gmail messages.

Here's the aswMBR log

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-21 12:27:22
-----------------------------
12:27:22.843 OS Version: Windows 5.1.2600 Service Pack 3
12:27:22.843 Number of processors: 2 586 0xF0D
12:27:22.843 ComputerName: MAGGIE UserName: M
12:27:23.453 Initialize success
12:27:26.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:27:26.343 Disk 0 Vendor: Hitachi_HDP725032GLA360 GM3OA5BA Size: 305245MB BusType: 3
12:27:28.406 Disk 0 MBR read successfully
12:27:28.406 Disk 0 MBR scan
12:27:28.406 Disk 0 unknown MBR code
12:27:30.468 Disk 0 scanning sectors +625137345
12:27:30.500 Disk 0 scanning C:\WINDOWS\system32\drivers
12:27:37.218 Service scanning
12:27:38.078 Disk 0 trace - called modules:
12:27:38.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a5111ed]<<
12:27:38.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5b1ab8]
12:27:38.093 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a5d70c0]
12:27:38.093 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5a9d98]
12:27:38.093 \Driver\atapi[0x8a5b7f38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a5111ed
12:27:38.093 Scan finished successfully
12:34:53.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\M\My Documents\Maggie2011\MBR.dat"
12:34:53.156 The log file has been saved successfully to "C:\Documents and Settings\M\My Documents\Maggie2011\aswMBR.txt"

[magsofpendle]

Both PCs and the USB stick were already vaccinated with Panda.

I've been unable to open my hotmail messages since this morning. I've switched the router off and on again, but it makes no difference. The working computer is on the same router, and we can open gmail messages.

Here's the aswMBR log

aswMBR version 0.9.5.256 Copyright© 2011 AVAST Software
Run date: 2011-05-21 12:27:22
-----------------------------
12:27:22.843 OS Version: Windows 5.1.2600 Service Pack 3
12:27:22.843 Number of processors: 2 586 0xF0D
12:27:22.843 ComputerName: MAGGIE UserName: M
12:27:23.453 Initialize success
12:27:26.343 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:27:26.343 Disk 0 Vendor: Hitachi_HDP725032GLA360 GM3OA5BA Size: 305245MB BusType: 3
12:27:28.406 Disk 0 MBR read successfully
12:27:28.406 Disk 0 MBR scan
12:27:28.406 Disk 0 unknown MBR code
12:27:30.468 Disk 0 scanning sectors +625137345
12:27:30.500 Disk 0 scanning C:\WINDOWS\system32\drivers
12:27:37.218 Service scanning
12:27:38.078 Disk 0 trace - called modules:
12:27:38.093 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a5111ed]<<
12:27:38.093 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a5b1ab8]
12:27:38.093 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006b[0x8a5d70c0]
12:27:38.093 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a5a9d98]
12:27:38.093 \Driver\atapi[0x8a5b7f38] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x8a5111ed
12:27:38.093 Scan finished successfully
12:34:53.156 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\M\My Documents\Maggie2011\MBR.dat"
12:34:53.156 The log file has been saved successfully to "C:\Documents and Settings\M\My Documents\Maggie2011\aswMBR.txt"

[Render]

Now run Rootkit Unhooker once again as described here and post log.

[magsofpendle]

Hi

We have done that and the report follows.

We have reset router and Hotmail still will not open mail.

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB92BC000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5763072 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA65B8000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4550656 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF1F2000 C:\WINDOWS\System32\igxpdx32.DLL 2732032 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2154496 bytes
0x804D7000 RAW 2154496 bytes
0x804D7000 WMIxWDM 2154496 bytes
0xBF800000 Win32k 1859584 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04E000 C:\WINDOWS\System32\igxpdv32.DLL 1720320 bytes (Intel Corporation, Component GHAL Driver)
0xB9E5C000 iaStor.sys 815104 bytes (Intel Corporation, Intel Matrix Storage Manager driver - ia32)
0xB9D2E000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA0DD8000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB9142000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA0F9A000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9D62D000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xBF48D000 C:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB9267000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0x9CCDF000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB91A0000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9E252000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9D01000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9CB53000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA0E48000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 172032 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB921B000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA0F72000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA0556000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 155648 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xA0EE5000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9CB7E000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xA6594000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB9243000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB91F8000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA0533000 C:\WINDOWS\system32\DRIVERS\rt2500usb.sys 143360 bytes (Ralink Technology Inc., Sample Driver for Ralink 802.11g Wireless USB Adapters)
0xA0EC3000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xA0E73000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E5000 ACPI_HAL 134400 bytes
0x806E5000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9DF7000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB9CE7000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9E44000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9E3D4000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9E17000 C:\WINDOWS\System32\Drivers\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xB9DCE000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB91E1000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9E397000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xB9E2F000 epstwnt.mpd 86016 bytes (Shuttle Technology. , Epst Miniport Driver(Version 2.19.01))
0x9E1ED000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB92A8000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA0FF3000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xB9DBB000 WudfPf.sys 77824 bytes (Microsoft Corporation, Windows Driver Foundation - User-mode Driver Framework Platform Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9DE5000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB91D0000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xBA1A8000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA308000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA248000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA318000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA21FB000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA128000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA148000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA5F24000 C:\DOCUME~1\M\LOCALS~1\Temp\aswMBR.sys 45056 bytes
0xA276E000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA138000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA188000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA168000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA617B000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xA278E000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9CFE8000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA0F8000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xA279E000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xBA458000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xA55B5000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3A0000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3A8000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xBA428000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xA1062000 C:\WINDOWS\system32\DRIVERS\usbprint.sys 28672 bytes (Microsoft Corporation, USB Printer driver)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA3D0000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xBA480000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xBA460000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xA106A000 C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys 24576 bytes (Magic Control Technology Corp., USB to Serial Converter Driver for WIN2KXP)
0xBA398000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA55AD000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA55A5000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3C0000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA1072000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0x9E3B4000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 16384 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0x9E051000 C:\WINDOWS\System32\Drivers\Aspi32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0x9D4B1000 C:\WINDOWS\system32\GTNDIS5.SYS 16384 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 Protocol Driver)
0x9EAE0000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9857000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0x9E3B0000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA12E2000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xBA59C000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xBA570000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA564000 C:\WINDOWS\System32\Drivers\i2omgmt.SYS 12288 bytes (Microsoft Corporation, I2O Utility Filter)
0x9E3F8000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9CAF000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA6578000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA66C000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xBA65C000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5C4000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA65A000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA65E000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA660000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5CE000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5D6000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6D3000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA7E6000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA7A0000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x8A512A91 Unknown page with executable code, 1391 bytes
0x8A515860 Unknown page with executable code, 1952 bytes
0x8A515781 Unknown page with executable code, 2175 bytes
0x8A517718 Unknown page with executable code, 2280 bytes
0x8A5175B1 Unknown page with executable code, 2639 bytes
0x8A511288 Unknown page with executable code, 3448 bytes
0x8A513191 Unknown page with executable code, 3695 bytes
0xBA0C8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x8A515E7A Unknown thread object [ ETHREAD 0x8A542020 ] TID: 124, 600 bytes
0x8A518008 Unknown thread object [ ETHREAD 0x8A533380 ] TID: 128, 600 bytes
0x8A5170DE Unknown thread object [ ETHREAD 0x8A5B34A8 ] , 600 bytes
0x8A515B45 Unknown thread object [ ETHREAD 0x8A5A65F0 ] , 600 bytes
0x8A517CDC Unknown page with executable code, 804 bytes


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

Thanks.

Mags

[Render]

We have reset router and Hotmail still will not open mail.

Let's fix that computer first and then we will look the other one. OK?

Please do this:

Please download ComboFix from one of these locations:

Bleepingcomputer
ForoSpyware

Notes:

• Do not mouse-click Combofix's window while it is running. That may cause it to stall.
• ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer the default browser.
• Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
• CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
• If you are using personal certificates I recommend you to export them before running ComboFix and save them to external media.

Please carefully follow all steps below:

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
• Double click on Combofix.exe and follow the prompts.
  Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes. ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
• When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

[magsofpendle]

Hi Render

We have run Combofix and the report is below.

Avira turned back on after rebooting and reported 245 viruses. We did not destroy them. We turned Avira off again.

BTW When we transferred flashdrive to working computer,it had four viruses, detected by Avira, even though Flashdrive had been vaccinated.

ComboFix 11-05-21.03 - M 22/05/2011 8:49.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1446 [GMT 1:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\M\WINDOWS
.
Infected copy of c:\windows\system32\drivers\volsnap.sys was found and disinfected
Restored copy from - Kitty had a snack
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-21 09:21 . 2011-05-21 09:21 -------- d-----w- c:\documents and settings\M\Local Settings\Application Data\Mozilla
2011-05-21 08:48 . 2011-05-21 08:48 -------- d-----w- C:\_OTL
2011-05-21 08:42 . 2011-05-22 07:54 -------- d-----w- c:\program files\iekbapgb
2011-05-20 13:49 . 2011-05-20 13:49 -------- d-----w- C:\_OTM
2011-05-13 16:05 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-13 16:05 . 2011-05-13 16:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 07:58 . 2011-05-20 09:02 -------- d-----w- c:\windows\system32\NtmsData
2011-04-23 15:29 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-23 15:29 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
2011-04-22 09:04 . 2011-04-22 09:04 -------- d-----w- c:\program files\Microsoft Silverlight
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-30 13:12 . 2008-07-10 09:02 1080 ----a-w- c:\windows\AUTOLNCH.REG
2011-03-18 10:13 . 2010-11-03 12:33 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 05:33 . 2004-08-11 16:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-11 16:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 16:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 16132608]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-10-31 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"hpppt"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe" [1998-11-24 106496]
"HP Lamp"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 43520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-08 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\iekbapgb\nkcnkppr.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-26 14:15 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/11/2010 13:33 136360]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [26/03/2009 13:15 464264]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [01/06/2008 14:10 49152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [02/10/2010 15:07 88176]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [30/05/2008 11:42 140416]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [10/07/2008 10:02 84480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 18:46 135664]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [10/07/2008 10:02 18432]
S3 7B940C2D;7B940C2D;c:\windows\system32\7B940C2D.exe --> c:\windows\system32\7B940C2D.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [17/06/2008 13:34 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 18:46 135664]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [29/05/2008 18:07 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [29/05/2008 18:07 14336]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26/05/2008 15:09 30192]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:46]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:46]
.
2011-05-22 c:\windows\Tasks\User_Feed_Synchronization-{497023B5-55C0-472F-A9D8-BD6CE7F8A1E2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
AddRemove-Excel - c:\program files\Microsoft Office\Office\Setup\AcmeXl.exe
AddRemove-Word8.0 - c:\program files\Microsoft Office\Office\Setup\AcmeWord.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 08:54
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe 256796 bytes executable
C:\nkcnkppr.exe 256796 bytes executable
.
scan completed successfully
hidden files: 2
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_clp300_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(884)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(1220)
c:\windows\system32\WININET.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\program files\Kontiki\KService.exe
.
**************************************************************************
.
Completion time: 2011-05-22 08:59:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-22 07:59
.
Pre-Run: 291,434,516,480 bytes free
Post-Run: 291,077,681,152 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 53E0F5D971827D728F4F3D9D94727520

Mags

[Render]

Hi,

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\program files\iekbapgb\nkcnkppr.exe
c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe
C:\nkcnkppr.exe

Folder::
c:\program files\iekbapgb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\\windows\\system32\\userinit.exe"

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[magsofpendle]

Hi Render

Here is result of ComboFix.txt

Thanks.

---------
ComboFix 11-05-21.03 - M 22/05/2011 18:47:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1488 [GMT 1:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\M\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
FILE ::
"c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe"
"C:\nkcnkppr.exe"
"c:\program files\iekbapgb\nkcnkppr.exe"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe
C:\nkcnkppr.exe
c:\program files\iekbapgb\nkcnkppr.exe
c:\program files\iekbapgb . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-21 09:21 . 2011-05-21 09:21 -------- d-----w- c:\documents and settings\M\Local Settings\Application Data\Mozilla
2011-05-21 08:48 . 2011-05-21 08:48 -------- d-----w- C:\_OTL
2011-05-21 08:42 . 2011-05-22 17:55 -------- d-----w- c:\program files\iekbapgb
2011-05-20 13:49 . 2011-05-20 13:49 -------- d-----w- C:\_OTM
2011-05-13 16:05 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-13 16:05 . 2011-05-13 16:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 07:58 . 2011-05-20 09:02 -------- d-----w- c:\windows\system32\NtmsData
2011-04-23 15:29 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-23 15:29 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-30 13:12 . 2008-07-10 09:02 1080 ----a-w- c:\windows\AUTOLNCH.REG
2011-03-18 10:13 . 2010-11-03 12:33 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 05:33 . 2004-08-11 16:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-11 16:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 16:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-22_07.54.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-22 17:55 . 2011-05-22 17:55 16384 c:\windows\Temp\Perflib_Perfdata_504.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 16132608]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-10-31 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"hpppt"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe" [1998-11-24 106496]
"HP Lamp"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 43520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-08 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="c:\windows\system32\userinit.exe,,c:\program files\iekbapgb\nkcnkppr.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-26 14:15 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/11/2010 13:33 136360]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [26/03/2009 13:15 464264]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [01/06/2008 14:10 49152]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [02/10/2010 15:07 88176]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [30/05/2008 11:42 140416]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [10/07/2008 10:02 84480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 18:46 135664]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [10/07/2008 10:02 18432]
S3 7B940C2D;7B940C2D;c:\windows\system32\7B940C2D.exe --> c:\windows\system32\7B940C2D.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [17/06/2008 13:34 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 18:46 135664]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [29/05/2008 18:07 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [29/05/2008 18:07 14336]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26/05/2008 15:09 30192]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:46]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:46]
.
2011-05-22 c:\windows\Tasks\User_Feed_Synchronization-{497023B5-55C0-472F-A9D8-BD6CE7F8A1E2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 18:58
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe 256796 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_clp300_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Internet Explorer\iexplore.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Kontiki\KService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-22 19:00:24 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-22 18:00
ComboFix2.txt 2011-05-22 07:59
.
Pre-Run: 289,517,436,928 bytes free
Post-Run: 289,474,101,248 bytes free
.
- - End Of File - - 3D4046126A88DCFC7014605C54D6DD8A

[Render]

OK. Do this:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::

DirLook::
c:\program files\iekbapgb

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"=-
"Userinit"="c:\\windows\\system32\\userinit.exe"

Driver::

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[magsofpendle]

Next reply: ComboFixTxt:

ComboFix 11-05-21.03 - M 22/05/2011 20:34:24.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1494 [GMT 1:00]
Running from: c:\documents and settings\M\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\M\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-21 09:21 . 2011-05-21 09:21 -------- d-----w- c:\documents and settings\M\Local Settings\Application Data\Mozilla
2011-05-21 08:48 . 2011-05-21 08:48 -------- d-----w- C:\_OTL
2011-05-21 08:42 . 2011-05-22 17:55 -------- d-----w- c:\program files\iekbapgb
2011-05-20 13:49 . 2011-05-20 13:49 -------- d-----w- C:\_OTM
2011-05-13 16:05 . 2010-12-20 17:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-13 16:05 . 2011-05-13 16:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-05-12 07:58 . 2011-05-20 09:02 -------- d-----w- c:\windows\system32\NtmsData
2011-04-23 15:29 . 2009-08-06 18:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2011-04-23 15:29 . 2009-08-06 18:23 215920 ----a-w- c:\windows\system32\muweb.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-30 13:12 . 2008-07-10 09:02 1080 ----a-w- c:\windows\AUTOLNCH.REG
2011-03-18 10:13 . 2010-11-03 12:33 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-03-07 05:33 . 2004-08-11 16:12 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-11 16:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-11 16:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-11 16:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-11 16:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-11 16:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-11 16:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\iekbapgb ----
.
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-22_07.54.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-22 17:58 . 2011-05-22 17:58 16384 c:\windows\Temp\Perflib_Perfdata_f1c.dat
+ 2011-05-22 17:55 . 2011-05-22 17:55 16384 c:\windows\Temp\Perflib_Perfdata_504.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-10-16 18:22 333192 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-10-16 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-26 68856]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-16 16132608]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-10-31 30192]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2008-02-28 17920]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-02-26 128296]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"hpppt"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\hpppt.exe" [1998-11-24 106496]
"HP Lamp"="c:\program files\Hewlett-Packard\HP PrecisionScan\PrecisionScan\HPLamp.exe" [1998-11-24 43520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2008-07-11 423200]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-08 281768]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-05-26 14:15 10536 ------w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 19:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/05/2010 19:41 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [03/11/2010 13:33 136360]
R2 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe [26/03/2009 13:15 464264]
R2 Belkin 54g Wireless USB Network Adapter Service;Belkin 54g Wireless USB Network Adapter;c:\program files\Belkin\Belkin Wireless Network Utility\WLService.exe [01/06/2008 14:10 49152]
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [30/05/2008 11:42 140416]
S0 epstwnt;epstwnt;c:\windows\system32\drivers\epstwnt.mpd [10/07/2008 10:02 84480]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 18:46 135664]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [02/10/2010 15:07 88176]
S2 SHARSHTL;Shuttle Sharer;c:\windows\system32\drivers\Sharshtl.sys [10/07/2008 10:02 18432]
S3 7B940C2D;7B940C2D;c:\windows\system32\7B940C2D.exe --> c:\windows\system32\7B940C2D.exe [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [17/06/2008 13:34 20160]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [31/01/2010 18:46 135664]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [29/05/2008 18:07 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [29/05/2008 18:07 14336]
S3 SM_clp300_FUService;CLP-300 Status Monitor Service;"c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service --> c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc [?]
S4 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [26/05/2008 15:09 30192]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:46]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 17:46]
.
2011-05-22 c:\windows\Tasks\User_Feed_Synchronization-{497023B5-55C0-472F-A9D8-BD6CE7F8A1E2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_6CE5017F567343CA.dll/cmsidewiki.html
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 20:38
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwQueryDirectoryFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe 256796 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\epstwnt]
"ImagePath"="System32\Drivers\epstwnt.mpd"
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SM_clp300_FUService]
"ImagePath"="\"c:\program files\Samsung\Samsung CLP-300 Series\SPanel\ssmsrvc /Service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
- - - - - - - > 'explorer.exe'(844)
c:\windows\system32\WININET.dll
c:\progra~1\mcafee\SITEAD~1\saHook.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-05-22 20:40:05
ComboFix-quarantined-files.txt 2011-05-22 19:40
ComboFix2.txt 2011-05-22 18:00
ComboFix3.txt 2011-05-22 07:59
.
Pre-Run: 286,879,469,568 bytes free
Post-Run: 286,853,578,752 bytes free
.
- - End Of File - - DCBEBB03B510CF6CC9C3027D11A458CE



Thanks

Mags

[Render]

Are you still getting the redirects?

Please do the following:

• Please download RegQuery by Noviciate to your desktop.
• Copy the following registry keypath (one line each time) by highlighting the text and pressing CTRL and C at the same time.
  
  HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
  
  
• Right click on RegQuery.exe icon on your desktop and click on Run as administrator
• Paste the text you have copied using CRTL and V, into the textbox
• Click the Query button
• A Notepad file will open. Please paste the contents for each query in your next reply
• You may now close the RegQuery program

[magsofpendle]

Hi Render

Here is reply to RegQuery. Thanks.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"AutoRestartShell"=dword:00000001
"DefaultUserName"="M"
"LegalNoticeCaption"=""
"LegalNoticeText"=""
"PowerdownAfterShutdown"="0"
"ReportBootOk"="1"
"Shell"="Explorer.exe"
"ShutdownWithoutLogon"="0"
"System"=""
"VmApplet"="rundll32 shell32,Control_RunDLL \"sysdm.cpl\""
"SfcQuota"=dword:ffffffff
"allocatecdroms"="0"
"allocatedasd"="0"
"allocatefloppies"="0"
"cachedlogonscount"="10"
"forceunlocklogon"=dword:00000000
"passwordexpirywarning"=dword:0000000e
"scremoveoption"="0"
"AllowMultipleTSSessions"=dword:00000001
"UIHost"=hex(2):6c,00,6f,00,67,00,6f,00,6e,00,75,00,69,00,2e,00,65,00,78,00,65,\
00,00,00
"LogonType"=dword:00000001
"Background"="0 0 0"
"DefaultPassword"=""
"DebugServerCommand"="no"
"SFCDisable"=dword:00000000
"WinStationsDisabled"="0"
"HibernationPreviouslyEnabled"=dword:00000001
"ShowLogonOptions"=dword:00000000
"AltDefaultUserName"="M"
"AltDefaultDomainName"="MAGGIE"
"DefaultDomainName"="MAGGIE"
"ChangePasswordUseKerberos"=dword:00000001
"LegalNotice Text"=""
"Userinit"="C:\\WINDOWS\\system32\\Userinit.exe,,C:\\Program Files\\iekbapgb\\nkcnkppr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7FE63}]
@="Wireless"
"ProcessGroupPolicy"="ProcessWIRELESSPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{25537BA6-77A8-11D2-9B6C-0000F8080861}]
@="Folder Redirection"
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"DllName"=hex(2):66,00,64,00,65,00,70,00,6c,00,6f,00,79,00,2e,00,64,00,6c,00,\
6c,00,00,00
"NoMachinePolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"NoGPOListChanges"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"GenerateGroupPolicy"="GenerateGroupPolicy"
"EventSources"=hex(7):28,00,46,00,6f,00,6c,00,64,00,65,00,72,00,20,00,52,00,65,\
00,64,00,69,00,72,00,65,00,63,00,74,00,69,00,6f,00,6e,00,2c,00,41,00,70,00,\
70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=hex(2):64,00,73,00,6b,00,71,00,75,00,6f,00,74,00,61,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{426031c0-0b47-4852-b0ca-ac3d37bfcb39}]
@="QoS Packet Scheduler"
"ProcessGroupPolicy"="ProcessPSCHEDPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{42B5FAAE-6536-11d2-AE5A-0000F87571E3}]
@="Scripts"
"ProcessGroupPolicy"="ProcessScriptsGroupPolicy"
"ProcessGroupPolicyEx"="ProcessScriptsGroupPolicyEx"
"GenerateGroupPolicy"="GenerateScriptsGroupPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoSlowLink"=dword:00000001
"NoGPOListChanges"=dword:00000001
"NotifyLinkTransition"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@="Internet Explorer Zonemapping"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@="Internet Explorer User Accelerators"
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=hex(2):73,00,63,00,65,00,63,00,6c,00,69,00,2e,00,64,00,6c,00,6c,00,\
00,00
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@="802.3 Group Policy"
"DisplayName"=hex(2):40,00,64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,\
00,74,00,2e,00,64,00,6c,00,6c,00,2c,00,2d,00,31,00,30,00,30,00,00,00
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=hex(2):64,00,6f,00,74,00,33,00,67,00,70,00,63,00,6c,00,6e,00,74,00,\
2e,00,64,00,6c,00,6c,00,00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@="Microsoft Offline Files"
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,63,\
00,73,00,63,00,75,00,69,00,2e,00,64,00,6c,00,6c,00,00,00
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@="Software Installation"
"DllName"=hex(2):61,00,70,00,70,00,6d,00,67,00,6d,00,74,00,73,00,2e,00,64,00,\
6c,00,6c,00,00,00
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=hex(7):28,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,20,00,4d,00,61,00,6e,00,61,00,67,00,65,00,6d,00,65,00,6e,00,\
74,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,00,6f,00,6e,\
00,29,00,00,00,28,00,4d,00,73,00,69,00,49,00,6e,00,73,00,74,00,61,00,6c,00,\
6c,00,65,00,72,00,2c,00,41,00,70,00,70,00,6c,00,69,00,63,00,61,00,74,00,69,\
00,6f,00,6e,00,29,00,00,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@="Internet Explorer Machine Accelerators"
"DisplayName"="@C:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="C:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\GPExtensions\{e437bc1c-aa7d-11d2-a382-00c04f991e27}]
@="IP Security"
"ProcessGroupPolicy"="ProcessIPSECPolicy"
"DllName"=hex(2):67,00,70,00,74,00,65,00,78,00,74,00,2e,00,64,00,6c,00,6c,00,\
00,00
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\!SASWinLogon]
"DllName"="C:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\dimsntfy]
"Asynchronous"=dword:00000001
"DllName"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,\
00,69,00,6d,00,73,00,6e,00,74,00,66,00,79,00,2e,00,64,00,6c,00,6c,00,00,00
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\GoToAssist]
"DLLName"="C:\\Program Files\\Citrix\\GoToAssist\\514\\G2AWinLogon.dll"
"Logoff"="G2ALogoff"
"Asynchronous"=dword:00000000
"Logon"="G2ALogon"
"Startup"="G2AStartup"
"Impersonate"=dword:00000000
"Shutdown"="G2AShutdown"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxdev.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\WgaLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdown"
"StartScreenSaver"="WLEventStartScreenSaver"
"StopScreenSaver"="WLEventStopScreenSaver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStartShell"
"PostShell"="WLEventPostShell"
"Disconnect"="WLEventDisconnect"
"Reconnect"="WLEventReconnect"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,00,61,00,4c,00,6f,00,67,00,6f,00,6e,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Event"=dword:00000001
"InstallEvent"="1.9.0040.0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\WgaLogon\Settings]
@=""
"Data"=hex:01,00,00,00,d0,8c,9d,df,01,15,d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,\
00,00,fc,88,58,bf,c0,9f,3e,4c,a1,ab,e8,99,63,e5,b5,b3,04,00,00,00,04,00,00,\
00,53,00,00,00,03,66,00,00,a8,00,00,00,10,00,00,00,53,95,b4,1e,42,3c,cc,32,\
03,36,25,01,a8,79,81,dc,00,00,00,00,04,80,00,00,a0,00,00,00,10,00,00,00,38,\
b5,18,9e,0f,df,11,69,26,9c,c8,1b,2e,95,d0,19,b0,01,00,00,ea,02,0e,46,24,39,\
d7,6d,a8,c4,6d,8b,91,b8,20,ce,11,5b,a8,68,af,3b,56,5c,cb,ac,0b,93,3b,d1,ad,\
c3,d0,b8,de,56,7e,e4,bf,e4,e8,3a,40,45,2a,32,3d,ac,3c,d7,99,81,44,e4,d1,9c,\
70,40,84,a6,cc,5d,5c,a4,1c,0e,54,16,1e,56,be,fe,20,68,ef,1c,31,ad,d7,5b,da,\
38,06,84,83,7f,d9,a3,6e,09,74,2a,dc,1f,18,cc,90,42,35,c8,35,14,94,1a,ef,59,\
b1,49,92,5f,d1,bb,69,33,03,27,1b,d7,e8,93,39,8f,8d,99,a1,cf,f8,83,07,91,52,\
aa,76,1c,09,cf,74,3d,9a,1b,6a,12,75,15,b1,3c,7c,e1,4e,21,52,aa,03,6c,70,7b,\
77,cb,59,26,b3,f6,fb,45,24,29,6b,fb,6d,da,20,96,19,45,4f,90,49,fa,9f,e4,6b,\
51,6e,e1,a1,ba,ae,c1,65,60,16,6e,ba,ae,e3,48,00,ab,9a,0f,21,f3,fa,bb,6c,31,\
31,f1,0e,30,75,0b,4c,de,e8,86,3c,42,57,d7,ec,03,2b,ce,df,cb,fc,a2,f2,42,d3,\
a8,f1,34,15,14,e7,59,e3,6b,11,dc,99,c7,c3,09,09,f8,85,1f,32,fc,91,d6,03,72,\
94,b0,37,39,9d,df,91,ad,55,df,6d,98,71,11,b6,e0,b1,b1,4c,cb,5a,95,e3,0f,55,\
42,66,6c,68,fb,2e,dc,41,2a,4d,cf,42,82,b2,27,03,60,78,9e,6f,de,ba,27,ec,58,\
04,4b,19,74,d7,a4,84,b7,e9,00,8d,cf,82,b9,45,76,30,69,cf,6f,a5,e1,2c,e5,b3,\
c3,2b,67,1f,cf,ea,ce,aa,73,2f,27,ae,f7,43,cc,05,f7,8e,ec,10,9e,13,33,b9,f5,\
ad,b0,1a,d7,b3,26,1f,b3,6f,bd,22,9b,2f,6c,06,5a,f4,33,9f,83,c9,70,ff,86,fe,\
8a,7b,c7,2a,4a,03,2a,26,be,58,aa,8c,8f,18,0e,17,3b,a0,a4,e6,30,86,71,a2,75,\
5e,d5,17,41,2e,c4,5a,72,e5,e1,c0,d4,8b,2b,f8,af,ca,ac,32,8b,7b,58,21,99,45,\
bd,14,00,00,00,be,66,f4,dc,fe,96,3e,cd,ca,a8,e4,de,0c,73,0c,4f,89,f7,7c,a7

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\SpecialAccounts\UserList]
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000

[magsofpendle]

Hi Render

It appears I am now able to use the infected computer again and can access Google homepage and internet sites again, but do not know whether it is safe to do so. For one thing, Avira Virus Guard is switched off and will not turn on again and I do not want to access any site other than Geekstogo without it.

What is it safe to do now? My hotmail account is operating from a different computer now.

Mags

[Render]

Please don't use this computer for browsing yet. It seems still infected. I'm at work right now and will be back to you at around 16:00 CET.

[Render]

Try with this now:

We need to run an OTL Fix

• Please reopen on your desktop.
• Copy (select all lines inside quote box and press CTRL+C) and Paste (press CTRL+V) the following code into the textbox.
  
  

  :OTL
  
  :Files
  attrib -s -h -r "c:\documents and settings\M\Start Menu\Programs\Startup\*.*" /c
  c:\documents and settings\M\Start Menu\Programs\Startup\nkcnkppr.exe
  ipconfig /flushdns /c
  
  :Reg
  [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
  "Userinit"="C:\\WINDOWS\\system32\\Userinit.exe"
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

• Click on button.
• OTL may ask to reboot the machine. Please do so if asked.
• Click on button.
• A report will open. Copy and Paste that report in your next reply.
• If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.