[General Field Marshal]

MBRCheck again:

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000014

Kernel Drivers (total 132):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EF000 \WINDOWS\system32\hal.dll
0xF7D60000 \WINDOWS\system32\KDCOM.DLL
0xF7C70000 \WINDOWS\system32\BOOTVID.dll
0xF7811000 ACPI.sys
0xF7D62000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7800000 pci.sys
0xF7860000 isapnp.sys
0xF7C74000 compbatt.sys
0xF7C78000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7E28000 pciide.sys
0xF7AE0000 \WINDOWS\System32\DRIVERS\PCIIDEX.SYS
0xF7D64000 intelide.sys
0xF77E2000 pcmcia.sys
0xF7870000 MountMgr.sys
0xF77C3000 ftdisk.sys
0xF7C7C000 ACPIEC.sys
0xF7E29000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xF7AE8000 PartMgr.sys
0xF7880000 VolSnap.sys
0xF77AB000 atapi.sys
0xF7890000 disk.sys
0xF78A0000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF778B000 fltMgr.sys
0xF7779000 sr.sys
0xF78B0000 PxHelp20.sys
0xF7762000 KSecDD.sys
0xF76D5000 Ntfs.sys
0xF76A8000 NDIS.sys
0xF768E000 Mup.sys
0xF78C0000 agp440.sys
0xF78F0000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7510000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF74FC000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7B08000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF74D8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7B10000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF74B0000 \SystemRoot\system32\DRIVERS\e1000325.sys
0xF7900000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7B20000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF73FB000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7D6E000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF7B28000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7B38000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF7910000 \SystemRoot\system32\DRIVERS\serial.sys
0xF7CFC000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF73E7000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7B40000 \SystemRoot\system32\DRIVERS\nscirda.sys
0xF7D04000 \SystemRoot\system32\DRIVERS\irenum.sys
0xF7D10000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF7D14000 \SystemRoot\system32\DRIVERS\ibmpmdrv.sys
0xF7920000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7930000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7940000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF73C4000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7D28000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF738E000 \SystemRoot\system32\drivers\smwdm.sys
0xF7342000 \SystemRoot\system32\drivers\portcls.sys
0xF7950000 \SystemRoot\system32\drivers\drmk.sys
0xF7322000 \SystemRoot\system32\drivers\aeaudio.sys
0xF72EF000 \SystemRoot\system32\DRIVERS\HSFHWICH.sys
0xF71F1000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
0xF7145000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF7B80000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7EC6000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7B90000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xF7BA0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7960000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7D44000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF712E000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7970000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7980000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF711D000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7990000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7BC0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7BD0000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF70ED000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF79A0000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF7D74000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF6FEF000 \SystemRoot\system32\DRIVERS\update.sys
0xF7655000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF79B0000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF79E0000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7D7C000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF7F14000 \SystemRoot\System32\Drivers\Null.SYS
0xF7D80000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7C10000 \SystemRoot\System32\drivers\vga.sys
0xF7D84000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7D88000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF7C20000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7C30000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF7382000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xBA785000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xBA72C000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF7A30000 \SystemRoot\System32\Drivers\aswTdi.SYS
0xBA706000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF7A40000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA6DE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF7C48000 \SystemRoot\System32\Drivers\aswRdr.SYS
0xBA6BC000 \SystemRoot\System32\drivers\afd.sys
0xF7A50000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA5F1000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xBA581000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7A60000 \SystemRoot\System32\Drivers\Fips.SYS
0xBA53A000 \SystemRoot\System32\Drivers\aswSP.SYS
0xF7B00000 \SystemRoot\System32\Drivers\Aavmker4.SYS
0xF7A90000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA4FA000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF7DA2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF7D24000 \SystemRoot\System32\drivers\Dxapi.sys
0xF7B88000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7EB0000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF04E000 \SystemRoot\System32\ati2cqag.dll
0xBF080000 \SystemRoot\System32\atikvmag.dll
0xBF0B2000 \SystemRoot\System32\ati3duag.dll
0xBF2E6000 \SystemRoot\System32\ativvaxx.dll
0xB84EA000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0xB828C000 \SystemRoot\system32\DRIVERS\irda.sys
0xB839E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB8135000 \SystemRoot\System32\Drivers\aswMon2.SYS
0xBF37A000 \SystemRoot\System32\ATMFD.DLL
0xB7C20000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8302000 \SystemRoot\system32\drivers\sysaudio.sys
0xB7A0D000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB7A01000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB78C5000 \SystemRoot\system32\DRIVERS\srv.sys
0xB75B4000 \SystemRoot\System32\Drivers\HTTP.sys
0xB7181000 \SystemRoot\system32\DRIVERS\ar5211.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
688 C:\WINDOWS\system32\smss.exe
740 csrss.exe
764 C:\WINDOWS\system32\winlogon.exe
808 C:\WINDOWS\system32\services.exe
820 C:\WINDOWS\system32\lsass.exe
968 C:\WINDOWS\system32\ibmpmsvc.exe
1000 C:\WINDOWS\system32\ati2evxx.exe
1032 C:\WINDOWS\system32\svchost.exe
1108 svchost.exe
1164 C:\WINDOWS\system32\svchost.exe
1316 svchost.exe
1372 svchost.exe
1708 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1736 C:\WINDOWS\system32\ati2evxx.exe
1820 C:\WINDOWS\explorer.exe
544 C:\Program Files\iTunes\iTunesHelper.exe
552 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
564 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
600 C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
624 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
300 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
744 C:\Program Files\Common Files\Java\Java Update\jusched.exe
964 C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
1284 C:\Program Files\Skype\Phone\Skype.exe
288 C:\WINDOWS\system32\spoolsv.exe
2312 svchost.exe
2636 C:\Program Files\Skype\Plugin Manager\skypePM.exe
2748 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
2944 C:\Program Files\Java\jre6\bin\jqs.exe
3272 C:\WINDOWS\system32\svchost.exe
2132 C:\Program Files\iPod\bin\iPodService.exe
2776 wmiprvse.exe
800 C:\WINDOWS\system32\wuauclt.exe
2064 C:\WINDOWS\system32\svchost.exe
1588 C:\Program Files\Mozilla Firefox\firefox.exe
4004 C:\Documents and Settings\Primo\Desktop\malware stuff\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`fa17c000 (NTFS)

PhysicalDrive0 Model Number: HTS548040M9AT00, Rev: MG2OA5DA

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

[Advertisements]

I think I'm going to retire mbrcheck. It doesn't seem to find anything anymore.

I'm impressed with aswmbr tho. It's a new program and this is only the second time I've used it and the first time we got a Fix button but it worked as promised. I think I would like for you to run it again and post the log just so I can be sure that it is not finding anything else. Probably a good idea to delete the old log and the mbr.dat before you run it again.

I expect that was the last of the infection tho. I would like for you to update Avast to version 6 and run a boot-time scan just to be sure.
http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed (I don't think you need to uninstall Avast 5. Seems like on mine that it was smart enough to know it was an upgrade and handled it without a lot of drama) and it has updated its definitions:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours so you may want to let it run while you sleep tonight.
Once it finishes it should load windows.

Ron

[RKinner]

I think I'm going to retire mbrcheck. It doesn't seem to find anything anymore.

I'm impressed with aswmbr tho. It's a new program and this is only the second time I've used it and the first time we got a Fix button but it worked as promised. I think I would like for you to run it again and post the log just so I can be sure that it is not finding anything else. Probably a good idea to delete the old log and the mbr.dat before you run it again.

I expect that was the last of the infection tho. I would like for you to update Avast to version 6 and run a boot-time scan just to be sure.
http://www.avast.com...ivirus-download

Download, Save, and right click and Run As Administrator.

Once you have it installed (I don't think you need to uninstall Avast 5. Seems like on mine that it was smart enough to know it was an upgrade and handled it without a lot of drama) and it has updated its definitions:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours so you may want to let it run while you sleep tonight.
Once it finishes it should load windows.

Ron

[General Field Marshal]

aswMBR log:

aswMBR version 0.9.5.232 Copyright© 2011 AVAST Software
Run date: 2011-05-02 02:47:17
-----------------------------
02:47:17.018 OS Version: Windows 5.1.2600 Service Pack 3
02:47:17.018 Number of processors: 1 586 0x905
02:47:17.018 ComputerName: DESERT7210 UserName: Primo
02:47:18.079 Initialize success
02:47:22.586 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
02:47:22.586 Disk 0 Vendor: HTS548040M9AT00 MG2OA5DA Size: 38154MB BusType: 3
02:47:24.609 Disk 0 MBR read successfully
02:47:24.609 Disk 0 MBR scan
02:47:24.609 Disk 0 Windows XP default MBR code
02:47:26.612 Disk 0 scanning sectors +78125040
02:47:26.632 Disk 0 scanning C:\WINDOWS\system32\drivers
02:47:32.039 Service scanning
02:47:33.241 Disk 0 trace - called modules:
02:47:33.261 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
02:47:33.261 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86756ab8]
02:47:33.261 3 CLASSPNP.SYS[f78a0fd7] -> nt!IofCallDriver -> \Device\00000077[0x867583b8]
02:47:33.261 5 ACPI.sys[f7817620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8672f940]
02:47:33.261 Scan finished successfully
02:47:43.606 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Primo\Desktop\malware stuff\MBR.dat"
02:47:43.636 The log file has been saved successfully to "C:\Documents and Settings\Primo\Desktop\malware stuff\aswMBR.txt"

[RKinner]

aswMBR log is clean!

Your Extras Log showed some services were having problems. Let's check and see if they are still complaining:

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron

[General Field Marshal]

Haven't updated Avast yet. VEW System log:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 03/05/2011 3:03:41 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 02/05/2011 9:31:43 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.6 for the Network Card with network address 00054E4D2E8E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 02/05/2011 5:56:41 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.6 for the Network Card with network address 00054E4D2E8E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 02/05/2011 4:34:39 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.6 for the Network Card with network address 00054E4D2E8E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 02/05/2011 2:14:57 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 02/05/2011 2:14:57 AM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Log: 'System' Date/Time: 02/05/2011 2:08:59 AM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.6 for the Network Card with network address 00054E4D2E8E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 02/05/2011 1:33:52 AM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 02/05/2011 1:33:52 AM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.

Log: 'System' Date/Time: 02/05/2011 1:28:22 AM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.6 for the Network Card with network address 00054E4D2E8E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 02/05/2011 12:15:20 AM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.1.8 for the Network Card with network address 00054E4D2E8E has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 02/05/2011 12:12:52 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 02/05/2011 12:10:17 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Log: 'System' Date/Time: 02/05/2011 12:09:46 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Log: 'System' Date/Time: 02/05/2011 12:07:42 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Log: 'System' Date/Time: 02/05/2011 12:07:12 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Log: 'System' Date/Time: 02/05/2011 12:03:03 AM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}

Log: 'System' Date/Time: 01/05/2011 11:49:59 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

Log: 'System' Date/Time: 01/05/2011 11:49:11 PM
Type: error Category: 0
Event: 10010 Source: DCOM
The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout.

Log: 'System' Date/Time: 01/05/2011 11:37:32 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Windows Image Acquisition (WIA) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 01/05/2011 11:37:32 PM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Windows Image Acquisition (WIA) service to connect.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 03/05/2011 2:36:08 AM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 02/05/2011 7:54:43 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 02/05/2011 4:34:54 PM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{16432401-DAAC-4CC4-9697-3F210049539E}.

Log: 'System' Date/Time: 02/05/2011 2:11:57 AM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 02/05/2011 1:59:01 AM
Type: warning Category: 0
Event: 263 Source: PlugPlayManager
The service "Apple Mobile Device" may not have unregistered for device event notifications before it was stopped.

Log: 'System' Date/Time: 02/05/2011 1:35:29 AM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{16432401-DAAC-4CC4-9697-3F210049539E}.

Log: 'System' Date/Time: 02/05/2011 12:34:03 AM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{16432401-DAAC-4CC4-9697-3F210049539E}.

Log: 'System' Date/Time: 02/05/2011 12:31:53 AM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{16432401-DAAC-4CC4-9697-3F210049539E}.

Log: 'System' Date/Time: 01/05/2011 10:18:43 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 9:39:43 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 9:25:36 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 8:53:37 PM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{16432401-DAAC-4CC4-9697-3F210049539E}.

Log: 'System' Date/Time: 01/05/2011 6:28:02 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 00054E4D2E8E. The following error occurred: The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 01/05/2011 6:27:19 PM
Type: warning Category: 0
Event: 2504 Source: Server
The server could not bind to the transport \Device\NetBT_Tcpip_{16432401-DAAC-4CC4-9697-3F210049539E}.

Log: 'System' Date/Time: 01/05/2011 5:23:09 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 3:08:36 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 2:35:43 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 2:19:35 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 01/05/2011 3:57:19 AM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Log: 'System' Date/Time: 30/04/2011 8:45:15 PM
Type: warning Category: 0
Event: 4226 Source: Tcpip
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.


VEW Application log:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 03/05/2011 3:05:46 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 03/05/2011 1:15:46 AM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application divxupdate.exe, version 1.0.1.10, faulting module msvcp80.dll, version 8.0.50727.4053, fault address 0x000100b5.

Log: 'Application' Date/Time: 02/05/2011 1:15:44 AM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 02/05/2011 1:15:43 AM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 02/05/2011 1:13:57 AM
Type: error Category: 0
Event: 1001 Source: Application Error
Fault bucket 1783041387.

Log: 'Application' Date/Time: 02/05/2011 1:13:50 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application tdsskiller.exe, version 2.4.21.0, faulting module tdsskiller.exe, version 2.4.21.0, fault address 0x00056ec9.

Log: 'Application' Date/Time: 02/05/2011 1:12:30 AM
Type: error Category: 0
Event: 1001 Source: Application Error
Fault bucket -1884773766.

Log: 'Application' Date/Time: 02/05/2011 1:12:02 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application svchost.exe, version 5.1.2600.5512, faulting module mshtml.dll, version 6.0.2900.6082, fault address 0x000696ff.

Log: 'Application' Date/Time: 02/05/2011 12:45:00 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application tdsskiller.exe, version 2.4.21.0, faulting module tdsskiller.exe, version 2.4.21.0, fault address 0x00056ec9.

Log: 'Application' Date/Time: 02/05/2011 12:43:54 AM
Type: error Category: 0
Event: 1001 Source: Application Error
Fault bucket 1783041387.

Log: 'Application' Date/Time: 02/05/2011 12:43:47 AM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application tdsskiller.exe, version 2.4.21.0, faulting module tdsskiller.exe, version 2.4.21.0, fault address 0x00056ec9.

Log: 'Application' Date/Time: 02/05/2011 12:28:21 AM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 02/05/2011 12:28:19 AM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 01/05/2011 11:47:56 PM
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application svchost.exe, version 5.1.2600.5512, faulting module icucnv36.dll, version 3.6.0.0, fault address 0x000013df.

Log: 'Application' Date/Time: 01/05/2011 11:41:38 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 01/05/2011 11:41:35 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 01/05/2011 11:41:11 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 01/05/2011 11:41:03 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 01/05/2011 10:30:46 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This network connection does not exist.

Log: 'Application' Date/Time: 01/05/2011 10:30:45 PM
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The connection with the server was terminated abnormally

Log: 'Application' Date/Time: 01/05/2011 10:27:18 PM
Type: error Category: 0
Event: 1001 Source: Application Error
Fault bucket -1992079901.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 01/05/2011 11:16:20 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 01/05/2011 6:22:27 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 28/04/2011 1:11:46 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 28/04/2011 12:06:52 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 08/11/2010 1:40:21 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 04/11/2010 11:27:14 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 04/11/2010 4:21:56 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 04/11/2010 4:14:30 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 04/11/2010 3:58:20 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 19/10/2010 2:34:32 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 18/10/2010 10:59:31 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 18/10/2010 3:25:32 PM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 13/10/2010 4:06:25 AM
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x8007043C

Log: 'Application' Date/Time: 13/10/2010 3:49:29 AM
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user DESERT7210\Primo registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

[RKinner]

Could you run Combofix one more time and post the log?


I don't think your firewall is working and it looks like you are running something that is trying to contact a lot of PCs at the same time. I hope you are not running a P2P program like Limewire or Frostwire or utorrent.

How attached are you to Symantec? Could I talk you into uninstalling it and installing the free Avast at least long enough to run a boot-time scan?

Download and save the free Avast!
http://www.avast.com...ivirus-download

Uninstall Symantec, run the norton removal tool http://us.norton.com...3834EN&ln=en_US

Install the free Avast.

Once you have it installed and it has updated:

Click on the Avast ball. Then click on Scan Computer, then on
Boot-Time Scan then on Settings. Change the Ask at the bottom to Move to Chest. OK then Schedule Now. Reboot and let it run a scan. It may take hours.
Once it finishes it should load windows. Click on the Avast ball and then on Scan Logs, select the Boot-time scan report then View Results. How many did it find?

Ron

[General Field Marshal]

Do I need to download another copy of Combofix?

I was actually watching a basketball game when it first hit, so maybe you're right . . .

[RKinner]

If you still have george you can run it.

Don't know why I thought you had Symantec. Sorry about that. Have you updated to 6 and run a boot-time scan yet?

Let's install the free Online Armor firewall. http://www.online-armor.com/ See if it will run.

Ron

[General Field Marshal]

I have not updated to Avast 6 yet. Should I do that or install the Online Armor firewall first?

Combofix log:

ComboFix 11-05-01.02 - Primo 05/04/2011 0:47.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.670 [GMT -5:00]
Running from: c:\documents and settings\Primo\My Documents\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-04 to 2011-05-04 )))))))))))))))))))))))))))))))
.
.
2011-05-02 07:04 . 2011-05-02 07:04 -------- d-----w- c:\program files\iPod
2011-05-02 07:04 . 2011-05-02 07:04 -------- d-----w- c:\program files\iTunes
2011-05-02 07:04 . 2011-05-02 07:04 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2011-05-02 07:00 . 2011-05-02 07:00 -------- d-----w- c:\documents and settings\Primo\Local Settings\Application Data\Apple
2011-05-02 07:00 . 2011-05-02 07:00 -------- d-----w- c:\program files\Apple Software Update
2011-05-02 06:58 . 2011-05-02 06:58 -------- d-----w- c:\program files\Bonjour
2011-05-02 04:34 . 2011-05-02 04:34 1409 ----a-w- c:\windows\QTFont.for
2011-05-02 03:21 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-02 03:21 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-01 23:19 . 2011-05-01 23:19 -------- d-----w- C:\_OTL
2011-04-30 08:27 . 2011-04-30 08:27 -------- d-----w- c:\documents and settings\NetworkService\Application Data\DivX
2011-04-29 19:56 . 2011-04-29 19:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-28 00:22 . 2011-04-28 00:22 -------- d-----w- c:\windows\system32\LogFiles
2011-04-06 21:20 . 2011-04-06 21:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 21:20 . 2011-04-06 21:20 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2011-04-06 21:20 . 2011-04-06 21:20 197920 ----a-w- c:\windows\system32\dnssdX.dll
2011-04-06 21:20 . 2011-04-06 21:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-07 05:33 . 2006-04-04 02:58 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:45 . 2006-04-04 02:42 434176 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2006-04-04 02:42 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-17 13:51 . 2006-04-04 02:42 667136 ----a-w- c:\windows\system32\wininet.dll
2011-02-17 13:51 . 2006-04-04 02:42 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-02-17 13:51 . 2006-04-04 02:41 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-02-17 13:18 . 2006-04-04 02:41 455936 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2006-04-04 02:42 357888 ----a-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:37 . 2006-04-04 02:41 369664 ----a-w- c:\windows\system32\html.iec
2011-02-17 12:32 . 2010-04-22 14:33 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2006-04-04 02:41 290432 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 13:53 . 2006-04-04 02:42 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2006-04-04 02:41 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2006-04-04 02:41 978944 ----a-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2006-04-04 02:41 974848 ----a-w- c:\windows\system32\mfc42u.dll
2011-04-29 20:17 . 2011-03-25 08:56 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-05-02_05.24.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-05-02 07:12 . 2011-05-02 07:12 16384 c:\windows\Temp\Perflib_Perfdata_eac.dat
+ 2011-05-02 07:21 . 2011-05-02 07:21 12736 c:\windows\system32\mlfcache.dat
+ 2011-05-02 06:59 . 2011-02-18 21:36 41984 c:\windows\system32\DRVSTORE\usbaapl_05A32DBD3911A2EF4222EF5BE7BB535FAB37D6C4\usbaapl.sys
+ 2011-05-02 06:59 . 2010-04-20 00:29 18432 c:\windows\system32\DRVSTORE\netaapl_8A27A03003759CB01567E831096473C330131D64\netaapl.sys
+ 2011-05-02 07:04 . 2009-05-18 18:17 26600 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspiWDM.sys
+ 2008-01-29 19:01 . 2009-05-18 18:17 26600 c:\windows\system32\drivers\GEARAspiWDM.sys
+ 2011-05-02 07:00 . 2011-05-02 07:00 27136 c:\windows\Installer\{C41300B9-185D-475E-BFEC-39EF732F19B1}\AppleSoftwareUpdateIco.exe
- 2008-01-29 19:02 . 2008-01-29 19:02 107368 c:\windows\system32\GEARAspi.dll
+ 2008-01-29 19:02 . 2008-04-17 17:12 107368 c:\windows\system32\GEARAspi.dll
+ 2011-05-02 07:04 . 2008-04-17 17:12 107368 c:\windows\system32\DRVSTORE\GEARAspiWD_3B7AACF0636A2C042EB7AD2AFF76D37B27BDD28C\x86\GEARAspi.dll
+ 2011-05-02 06:58 . 2011-05-02 06:58 811520 c:\windows\Installer\1bee56.msi
+ 2011-05-02 07:05 . 2011-05-02 07:05 380928 c:\windows\Installer\{353FE16B-30FE-469A-BF55-B978F4218003}\iTunesIco.exe
+ 2011-05-02 06:59 . 2011-02-18 21:36 4184352 c:\windows\system32\DRVSTORE\usbaapl_05A32DBD3911A2EF4222EF5BE7BB535FAB37D6C4\usbaaplrc.dll
+ 2011-05-02 06:59 . 2010-04-20 00:29 1461992 c:\windows\system32\DRVSTORE\netaapl_8A27A03003759CB01567E831096473C330131D64\wdfcoinstaller01009.dll
+ 2011-05-02 07:05 . 2011-05-02 07:05 6523904 c:\windows\Installer\1bf6fe.msi
+ 2011-05-02 07:02 . 2011-05-02 07:02 9472000 c:\windows\Installer\1bf573.msi
+ 2011-05-02 07:00 . 2011-05-02 07:00 1554944 c:\windows\Installer\1bf2d0.msi
+ 2011-05-02 06:59 . 2011-05-02 06:59 3085312 c:\windows\Installer\1bee98.msi
+ 2011-05-02 06:58 . 2011-05-02 06:58 1984000 c:\windows\Installer\1bee5c.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2011-01-26 15026056]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2011-01-13 3396624]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-06-03 1144104]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [6/8/2010 1:16 PM 294608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [6/8/2010 1:16 PM 17744]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.bing.com/?pc=ZUGO&form=ZGAPHP
uInternet Settings,ProxyOverride = <local>;*.local
FF - ProfilePath - c:\documents and settings\Primo\Application Data\Mozilla\Firefox\Profiles\37v2w6j0.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?pc=ZUGO&form=ZGAADF&q=
FF - prefs.js: network.proxy.type - 0
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-04 00:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2011-05-04 00:55:30
ComboFix-quarantined-files.txt 2011-05-04 05:55
ComboFix2.txt 2011-05-02 05:27
.
Pre-Run: 14,804,258,816 bytes free
Post-Run: 14,832,111,616 bytes free
.
- - End Of File - - DD387CEA91791D1E9871E45F12D10D48

[RKinner]

Go ahead and install Online Armor which should keep any new infections out. Then update to Avast 6 and run the boot-time scan per my previous instructions.

Ron

[General Field Marshal]

I installed Online Armor but upon reboot Windows would not load. Tried rebooting twice more, Windows still wouldn't load. Will update Avast tomorrow

[General Field Marshal]

Updated to Avast 6 and ran boot-time scan, nothing found

[RKinner]

What exactly happened with Online Armor. How did you get it working again?

Start, Run, services.msc , OK to bring up the services window.

Find the Application Layer Gateway Service and right click on it and select Properties. If the Startup Type is not set to Automatic please change it and then hit Apply. Try to Start the service. What error do you get?


Check that Background Intelligent Transfer Service is running. If not try to start it as above. What error do you get?

Repeat for Automatic Update service and right click on it and select Properties. If the Startup Type is not set to Automatic please change it and then hit Apply. Try to Start the service. What error do you get?


Repeat for Windows Management Instrumentation (WMI) service.

Ron

[General Field Marshal]

What exactly happened with Online Armor. How did you get it working again?

I never got Online Armor to work, Windows would load completely while it was installed. I had to go into safe mode and uninstall it.

Start, Run, services.msc , OK to bring up the services window.

Find the Application Layer Gateway Service and right click on it and select Properties. If the Startup Type is not set to Automatic please change it and then hit Apply. Try to Start the service. What error do you get?

Unable to start it, Start button dark

Check that Background Intelligent Transfer Service is running. If not try to start it as above. What error do you get?

already running

Repeat for Automatic Update service and right click on it and select Properties. If the Startup Type is not set to Automatic please change it and then hit Apply. Try to Start the service. What error do you get?

already running

Repeat for Windows Management Instrumentation (WMI) service.

Ron

already running

[RKinner]

Copy the next line:

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\alg /s > \junk.txt

Start, Run, cmd, OK to bring up a command window. Right click and Paste or Edit, Paste and the above line should appear. Hit Enter. Now type (with an Enter after each line)

sc  start  alg  >>  \junk.txt

net  start  >>  \junk.txt

notepad  \junk.txt

Ron