Tidserv Activity 2

Hi Dave
It's party weekend here in the "Keys" (Bel Marin keys that is) so I'll have to do those tomorrow.
All the best
Clive
P.S. Three sequential Christmas parties yesterday!

Hi Dave
I have the logs from SAS, MBAM and DDS runs and will try to attach them here - hope it works better this time than any time before.
However, I read a story once where this crew of a few men were trying to cross the pacific ocean in a large wooden boat they had built themselves. Not being experts they had not taken into account what a teredo worm can do to a wooden boat and as they progressed they found themselves spending all their waking moments bailing or patching the boat as it sank further and further into the water and gradually became more like a giant sponge riddled with teredo wormholes than a functioning boat. I believe it broke up before they reached land but were close enough that they were rescued.
Unfortunately, I feel like that with my desktop. Now I have to go through two boot cycles every time to get it up and going - the first cycle resulting in a blue screen of death. Also, I find that quite a number of my vital applications don't work anymore - can't connect to the internet, can't fix that with Network Magic (Platform missing) or Internet Explorer (Winsock catalog missing).
I think I may have to bite the bullet and revert the system to factory state.
Please have a look at the attached files and let me have your thoughts.
Best regards
Clive

Download BlueScreenView to your desktop.
BlueScreenView
unzip downloaded file and double click on BlueScreenView.exe to run the program.
when scanning is done, go to EDIT - Select All
Go to FILE - SAVE Selected Items, and save the report as BSOD.txt
Open BSOD.txt in Notepad, copy all of the content, and paste it into your next reply.

Hi Dave
I've been away from my desk most of today but finally managed to create the BSOD file which I will attempt to paste below. If that doesn't work please look for it at http://cliveburton.com/TidservTrojanRemoval/
I would greatly appreciate a little insight into what you are looking for in all these files and also your best educated guess as to our chances of pulling this one out of the fire and, if so, when.
Best regards
Clive
===================================================
==================================================
Dump File : Mini121911-02.dmp
Crash Time : 12/19/2011 11:07:18 AM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6badc74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121911-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121911-01.dmp
Crash Time : 12/19/2011 5:49:07 AM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6ba9c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121911-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-06.dmp
Crash Time : 12/15/2011 10:21:15 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6bb5c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-06.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-05.dmp
Crash Time : 12/15/2011 10:02:14 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6bb5c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-05.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-04.dmp
Crash Time : 12/15/2011 4:52:11 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b81c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-04.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-03.dmp
Crash Time : 12/15/2011 4:25:40 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b79c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-03.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-02.dmp
Crash Time : 12/15/2011 4:21:58 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b65c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121511-01.dmp
Crash Time : 12/15/2011 4:00:44 AM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b61c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121511-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121411-03.dmp
Crash Time : 12/14/2011 9:45:32 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b61c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121411-03.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121411-02.dmp
Crash Time : 12/14/2011 3:06:33 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b75c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121411-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121411-01.dmp
Crash Time : 12/14/2011 3:01:20 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b71c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121411-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121311-01.dmp
Crash Time : 12/13/2011 6:39:01 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b7dc74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121311-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121211-02.dmp
Crash Time : 12/12/2011 10:16:35 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc0000005
Parameter 2 : 0x80563bdc
Parameter 3 : 0xf6b83c74
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+8cbdc
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+8cbdc
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121211-02.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121211-01.dmp
Crash Time : 12/12/2011 4:19:35 AM
Bug Check String : IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x1000000a
Parameter 1 : 0x000000b0
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0x8052d79e
Caused By Driver : CLASSPNP.SYS
Caused By Address : CLASSPNP.SYS+a456
File Description : SCSI Class System Dll
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5679e
Stack Address 1 : CLASSPNP.SYS+a456
Stack Address 2 : CLASSPNP.SYS+9b89
Stack Address 3 : ntoskrnl.exe+c807
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121211-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini121111-01.dmp
Crash Time : 12/11/2011 11:04:25 PM
Bug Check String : KERNEL_MODE_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000008e
Parameter 1 : 0xc000009a
Parameter 2 : 0x805197d9
Parameter 3 : 0xba5b05e0
Parameter 4 : 0x00000000
Caused By Driver : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+427d9
File Description : NT Kernel & System
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.6165 (xpsp_sp3_gdr.111025-1629)
Processor : 32-bit
Crash Address : ntoskrnl.exe+427d9
Stack Address 1 :
Stack Address 2 :
Stack Address 3 :
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini121111-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini061811-01.dmp
Crash Time : 6/18/2011 10:27:30 AM
Bug Check String : SYSTEM_THREAD_EXCEPTION_NOT_HANDLED
Bug Check Code : 0x1000007e
Parameter 1 : 0xc0000005
Parameter 2 : 0xf76d5895
Parameter 3 : 0xf7ac8bd8
Parameter 4 : 0xf7ac88d4
Caused By Driver : CLASSPNP.SYS
Caused By Address : CLASSPNP.SYS+4895
File Description : SCSI Class System Dll
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2108)
Processor : 32-bit
Crash Address : CLASSPNP.SYS+4895
Stack Address 1 : CLASSPNP.SYS+2d1d
Stack Address 2 : CLASSPNP.SYS+2cb1
Stack Address 3 : aksfridge.sys+21253
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini061811-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 102,400
==================================================

==================================================
Dump File : Mini053010-01.dmp
Crash Time : 5/30/2010 11:44:52 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 0x001902fe
Parameter 2 : 0xa06c5940
Parameter 3 : 0xa06c563c
Parameter 4 : 0xf76b4ae8
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+42ae8
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c826
Stack Address 1 : Ntfs.sys+dff0
Stack Address 2 : Ntfs.sys+63c87
Stack Address 3 : ntoskrnl.exe+c807
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini053010-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

==================================================
Dump File : Mini041410-01.dmp
Crash Time : 4/14/2010 5:55:09 PM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 0x001902fe
Parameter 2 : 0xf7c81940
Parameter 3 : 0xf7c8163c
Parameter 4 : 0xf76b4ae8
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+42ae8
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c826
Stack Address 1 : Ntfs.sys+dff0
Stack Address 2 : Ntfs.sys+63c87
Stack Address 3 : ntoskrnl.exe+c807
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini041410-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

==================================================
Dump File : Mini102609-01.dmp
Crash Time : 10/26/2009 8:05:43 AM
Bug Check String : NTFS_FILE_SYSTEM
Bug Check Code : 0x00000024
Parameter 1 : 0x001902fe
Parameter 2 : 0xf7c89940
Parameter 3 : 0xf7c8963c
Parameter 4 : 0xf76b4ae8
Caused By Driver : Ntfs.sys
Caused By Address : Ntfs.sys+42ae8
File Description : NT File System Driver
Product Name : Microsoft® Windows® Operating System
Company : Microsoft Corporation
File Version : 5.1.2600.5512 (xpsp.080413-2111)
Processor : 32-bit
Crash Address : ntoskrnl.exe+5c806
Stack Address 1 : Ntfs.sys+dff0
Stack Address 2 : Ntfs.sys+63c87
Stack Address 3 : ntoskrnl.exe+c7f7
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini102609-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

==================================================
Dump File : Mini090309-01.dmp
Crash Time : 9/2/2009 11:54:36 PM
Bug Check String : DRIVER_IRQL_NOT_LESS_OR_EQUAL
Bug Check Code : 0x100000d1
Parameter 1 : 0xf7f3c002
Parameter 2 : 0x00000002
Parameter 3 : 0x00000000
Parameter 4 : 0xf7aff0df
Caused By Driver : dvd43llh.sys
Caused By Address : dvd43llh.sys+10df
File Description : dvd43llh.sys
Product Name : DVD For Free
Company : RIF
File Version : 3.5.000
Processor : 32-bit
Crash Address : dvd43llh.sys+10df
Stack Address 1 : dvd43llh.sys+1962
Stack Address 2 : ntoskrnl.exe+cd38
Stack Address 3 : atapi.sys+76fc
Computer Name :
Full Path : C:\WINDOWS\Minidump\Mini090309-01.dmp
Processors Count : 1
Major Version : 15
Minor Version : 2600
Dump File Size : 94,208
==================================================

I would greatly appreciate a little insight into what you are looking for in all these files and also your best educated guess as to our chances of pulling this one out of the fire and, if so, when.

At this point it looks like an infected or corrupt file
Please run this even if you don't have the OS disk and let me know the results.
Do you have an XP CD?

If so, place it in your CD ROM drive and follow the instructions below:
•Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
*Let this run undisturbed until the window with the blue progress bar goes away
SFC - Which stands for System File Checker, retrieves the correct version of the file from %Systemroot%\System32\Dllcache or the Windows installation source files, and then replaces the incorrect file.
*********************************************************
Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Hi Dave
Sorry - I wasn't able to do much towards the "war" effort today. I had to use my desktop for a number of things today and, amazingly, I am not getting any error messages now. Tomorrow I will follow your suggestions above. However, I don't have a copy of XP - only the Recovery disks that came with the computer (dreadful idea that!). So, should I try running SCF with the existing XP system on the desktop? Wasn't sure what to do there.
Best regards
Clive

rich_hilton wrote:

Hi Dave
Sorry - I wasn't able to do much towards the "war" effort today. I had to use my desktop for a number of things today and, amazingly, I am not getting any error messages now. Tomorrow I will follow your suggestions above. However, I don't have a copy of XP - only the Recovery disks that came with the computer (dreadful idea that!). So, should I try running SCF with the existing XP system on the desktop? Wasn't sure what to do there.
Best regards
Clive

Please run the SFC check even if you don't have the disk. If it finds a corrupt or missing file, it will prompt you for the disk.

Hi Dave
I could only run ComboFix
It discovered that Rootkit.ZeroAccess had inserted itself into the tcp/ip stack and attempted to fix it.

Here's the logfile - gotta go.
Cheers
Clive
ComboFix 11-12-21.02 - Clive 12/21/2011 17:35:35.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1024.649 [GMT -8:00]
Running from: l:\combofix\ComboFix.exe
AV: Norton Internet Security *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\chrome.manifest
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\content\ff-overlay.xul
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\content\overlay.js
c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\Extensions\{A5DCA3F5-ED5A-4ed3-9671-DBB0C68FA469}\install.rdf
c:\documents and settings\Clive\g2mdlhlpx.exe
c:\documents and settings\Clive\GoToAssistDownloadHelper.exe
c:\documents and settings\Clive\WINDOWS
c:\program files\Common Files\Help
c:\program files\Common Files\Help\_updated.js
c:\program files\Common Files\Help\qnue.chm
c:\program files\Common Files\Help\qnue.lif
c:\program files\Common Files\Help\qnue.lt3
c:\program files\Common Files\Help\qnue.rul
c:\program files\Common Files\Help\quicken.chm
c:\program files\Common Files\Help\quicken.lif
c:\program files\Common Files\Help\Quicken.lt3
c:\program files\Common Files\Help\Quicken.rul
c:\program files\Common Files\Help\quickenProject.lt3
c:\program files\Common Files\Help\quickenProject.rul
c:\program files\Search Toolbar
c:\program files\Search Toolbar\icon.ico
c:\program files\Search Toolbar\SearchToolbarUninstall.exe
c:\windows\$NtUninstallKB20212$\1774397239\@
c:\windows\$NtUninstallKB20212$\1774397239\bckfg.tmp
c:\windows\$NtUninstallKB20212$\1774397239\cfg.ini
c:\windows\$NtUninstallKB20212$\1774397239\Desktop.ini
c:\windows\$NtUninstallKB20212$\1774397239\keywords
c:\windows\$NtUninstallKB20212$\1774397239\kwrd.dll
c:\windows\$NtUninstallKB20212$\1774397239\L\tyiycewx
c:\windows\$NtUninstallKB20212$\1774397239\lsflt7.ver
c:\windows\$NtUninstallKB20212$\1774397239\U\00000001.@
c:\windows\$NtUninstallKB20212$\1774397239\U\00000002.@
c:\windows\$NtUninstallKB20212$\1774397239\U\00000004.@
c:\windows\$NtUninstallKB20212$\1774397239\U\80000000.@
c:\windows\$NtUninstallKB20212$\1774397239\U\80000004.@
c:\windows\$NtUninstallKB20212$\1774397239\U\80000032.@
c:\windows\$NtUninstallKB20212$\686445642
c:\windows\system32\oobe\isperror
c:\windows\system32\oobe\isperror\ispcnerr.htm
c:\windows\system32\oobe\isperror\ispdtone.htm
c:\windows\system32\oobe\isperror\isphdshk.htm
c:\windows\system32\oobe\isperror\ispins.htm
c:\windows\system32\oobe\isperror\ispnoanw.htm
c:\windows\system32\oobe\isperror\isppberr.htm
c:\windows\system32\oobe\isperror\ispphbsy.htm
c:\windows\system32\oobe\isperror\ispsbusy.htm
c:\windows\system32\SET125F.tmp
c:\windows\system32\SET1263.tmp
c:\windows\system32\SET126B.tmp
J:\autorun.inf
K:\autorun.inf
c:\windows\$NtUninstallKB20212$ . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-22 to 2011-12-22 )))))))))))))))))))))))))))))))
.
.
2011-12-20 23:14 . 2001-08-17 21:47 6272 -c--a-w- c:\windows\system32\dllcache\apmbatt.sys
2011-12-20 23:14 . 2002-08-29 06:59 36224 -c--a-w- c:\windows\system32\dllcache\an983.sys
2011-12-20 23:14 . 2001-08-17 21:52 12032 -c--a-w- c:\windows\system32\dllcache\amsint.sys
2011-12-20 23:14 . 2001-08-17 20:11 16969 -c--a-w- c:\windows\system32\dllcache\amb8002.sys
2011-12-20 23:14 . 2001-08-17 21:51 5248 -c--a-w- c:\windows\system32\dllcache\aliide.sys
2011-12-20 23:14 . 2001-08-17 21:49 26624 -c--a-w- c:\windows\system32\dllcache\alifir.sys
2011-12-20 23:14 . 2001-08-17 20:11 27678 -c--a-w- c:\windows\system32\dllcache\ali5261.sys
2011-12-20 23:14 . 2001-08-17 22:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-12-20 23:14 . 2001-08-17 22:07 55168 -c--a-w- c:\windows\system32\dllcache\aic78u2.sys
2011-12-20 23:14 . 2001-08-17 21:52 12800 -c--a-w- c:\windows\system32\dllcache\aha154x.sys
2011-12-20 02:51 . 2011-12-20 02:51 -------- d-----w- c:\program files\NirSoft
2011-12-18 02:41 . 2011-07-13 02:55 2237440 ----a-r- C:\OTLPE.exe
2011-12-18 02:37 . 2011-12-18 02:37 -------- d-----w- C:\_OTL
2011-12-15 06:00 . 2011-12-15 06:00 -------- d-----w- c:\documents and settings\Clive\Application Data\SUPERAntiSpyware.com
2011-12-15 05:57 . 2011-12-15 06:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-12-15 05:57 . 2011-12-15 05:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-12-14 20:04 . 2011-12-14 20:04 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2011-12-14 18:36 . 2011-12-14 18:36 388096 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-12-14 18:36 . 2011-12-14 18:36 -------- d-----w- c:\program files\Trend Micro
2011-12-14 01:21 . 2011-12-14 01:21 709968 ----a-w- c:\windows\is-28FEL.exe
2011-12-13 02:24 . 2008-04-13 19:21 162816 ----a-w- C:\netbt.sys
2011-12-13 00:20 . 2011-12-13 00:20 -------- d-----w- c:\documents and settings\Clive\Application Data\FixZeroAccess
2011-12-12 23:10 . 2011-12-12 23:10 46640 ----a-w- c:\windows\system32\msln.exe
2011-12-12 22:55 . 2011-12-12 23:10 384414 ----a-w- c:\windows\system32\drivers\SMR210.dat
2011-12-12 22:55 . 2011-12-12 22:55 83064 ----a-w- c:\windows\system32\drivers\SMR210.SYS
2011-12-12 22:55 . 2011-12-13 00:08 -------- d-----w- c:\documents and settings\Clive\Local Settings\Application Data\NPE
2011-12-09 03:33 . 2011-12-11 22:51 -------- d-----w- c:\windows\system32\drivers\NIS\1302000.00A
2011-12-07 17:43 . 2011-12-07 17:43 -------- d-----w- c:\program files\Appnimi
2011-11-27 22:50 . 2011-11-05 03:20 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-11-27 22:50 . 2011-11-05 07:10 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-08 22:01 . 2010-11-21 00:15 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2011-12-08 22:01 . 2010-11-21 00:15 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-11-23 13:25 . 2002-08-29 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20 . 2006-06-23 18:33 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2002-08-29 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2002-08-29 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2005-07-26 04:31 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2002-08-29 12:00 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2002-08-29 01:04 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2011-10-24 21:29 . 2011-10-24 21:29 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 21:29 . 2011-10-24 21:29 69632 ----a-w- c:\windows\system32\QuickTime.qts
2011-10-22 04:02 . 2011-08-01 19:37 53248 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{340D61BB-350A-40F4-8CFD-4F860E12066E}\ARPPRODUCTICON.exe
2011-10-22 04:02 . 2011-08-01 19:37 40960 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{340D61BB-350A-40F4-8CFD-4F860E12066E}\NewShortcut2_8637FCC51F2244009511B0F022380F4D.exe
2011-10-22 04:02 . 2011-08-01 19:37 40960 ----a-r- c:\documents and settings\Clive\Application Data\Microsoft\Installer\{340D61BB-350A-40F4-8CFD-4F860E12066E}\NewShortcut1_A35BF946C93442D89CCA96E4AF7A10B3.exe
2011-10-18 11:13 . 2002-08-29 12:00 186880 ----a-w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2009-07-10 22:44 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2002-08-29 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-27 16:37 . 2009-07-17 01:48 8892928 ----a-w- c:\documents and settings\All Users\Application Data\atscie.msi
2011-09-26 18:41 . 2008-07-30 02:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 18:41 . 2002-08-29 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 18:41 . 2002-08-29 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-25 05:49 . 2011-05-15 20:25 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 07:10 . 2011-04-09 17:05 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-07 30192]
"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking10\Ereg\Ereg.exe" [2007-04-16 259624]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MXOBG"="c:\windows\MXOALDR.EXE" [2003-10-10 94208]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2010-03-06 500208]
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" [2010-02-22 406992]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2009-07-07 1848648]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"ezShieldProtector for Px"="c:\windows\system32\ezSP_Px.exe" [2002-08-20 40960]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\C:\0autocheck autochk *
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MsDepSvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" -osboot
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"d:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\WINDOWS\\system32\\hasplms.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\mafia ii - public demo\\launcher.exe"=
"d:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe"= c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe:LocalSubNet,0.0.0.0/255.255.255.255:Enabled:Pure Networks Platform Service
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 SMR210;Symantec SMR Utility Service 2.1.0;c:\windows\system32\drivers\SMR210.SYS [12/12/2011 2:55 PM 83064]
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/12/2010 8:44 AM 691696]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\NIS\1302000.00A\symds.sys [12/8/2011 7:35 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1302000.00A\symefa.sys [12/8/2011 7:35 PM 897656]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\BASHDefs\20111210.003\BHDrvx86.sys [12/14/2011 4:20 PM 819320]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\system32\drivers\NIS\1302000.00A\ccsetx86.sys [12/8/2011 7:35 PM 132744]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 8:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 1:55 PM 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\NIS\1302000.00A\ironx86.sys [12/8/2011 7:35 PM 149624]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 3:38 PM 116608]
R2 Apache2.2;Apache2.2;d:\xampplite\apache\bin\httpd.exe [10/1/2011 9:33 AM 29416]
R2 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\SeaPort.EXE [6/15/2011 4:33 PM 249648]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/25/2009 10:32 PM 189736]
R2 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
R2 MBAMService;MBAMService;d:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/25/2009 5:36 PM 366152]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\19.2.0.10\ccsvchst.exe [12/8/2011 7:34 PM 138760]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [10/20/2009 10:19 AM 50704]
R2 Secunia PSI Agent;Secunia PSI Agent;d:\program files\Secunia\PSI\psia.exe [12/21/2010 4:04 AM 987704]
R2 Secunia Update Agent;Secunia Update Agent;d:\program files\Secunia\PSI\sua.exe [12/21/2010 4:04 AM 399416]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [9/29/2011 3:06 PM 28256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/9/2011 9:29 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.1.1.3\Definitions\IPSDefs\20111216.001\IDSXpx86.sys [12/17/2011 10:16 AM 356280]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/25/2009 5:36 PM 22216]
R3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [7/13/2009 8:04 PM 47360]
R3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [9/1/2010 12:30 AM 15544]
S0 iycct;iycct;c:\windows\system32\drivers\bhcfi.sys --> c:\windows\system32\drivers\bhcfi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/29/2009 7:34 AM 30192]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2009 10:12 PM 133104]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [9/29/2011 3:06 PM 28256]
S3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [7/7/2011 6:31 PM 195336]
S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;d:\program files\SolidWorks\SolidWorks\swScheduler\DTSCoordinatorService.exe [10/15/2009 5:51 AM 87336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2009 10:12 PM 133104]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S3 XHASP;XHASP;c:\windows\system32\drivers\XHASP.sys [10/29/2010 1:42 PM 245888]
S4 MsDepSvc;Web Deployment Agent Service;c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe [4/1/2011 7:17 PM 67400]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [9/23/2005 6:01 AM 2799808]
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-11 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2011-12-22 c:\windows\Tasks\GlaryInitialize.job
- d:\program files\Glary Utilities\initialize.exe [2009-07-22 00:02]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
2011-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1390067357-839522115-1004Core.job
- c:\documents and settings\Clive\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
2011-12-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-776561741-1390067357-839522115-1004UA.job
- c:\documents and settings\Clive\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-23 06:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mirostart.com/?cfg=2-365-0-QcG4
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Backward Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Send To &Bluetooth - d:\program files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
Trusted Zone: intuit.com\ttlc
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\Clive\Application Data\Mozilla\Firefox\Profiles\pfrurtul.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3074349&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3074349&SearchSource=2&q=
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-PowerArchiver - d:\powerarchiver\UNINST.EXE
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-21 18:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MsDepSvc]
"ImagePath"="\"c:\program files\IIS\Microsoft Web Deploy\MsDepSvc.exe\" -runService:MsDepSvc"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\19.2.0.10\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\19.2.0.10\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(796)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(4192)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
d:\program files\Belkin\Bluetooth Software\bin\btwdins.exe
c:\program files\Google\Update\1.3.21.79\GoogleCrashHandler.exe
c:\windows\system32\hasplms.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
d:\xampplite\mysql\bin\mysqld.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-12-21 18:16:01 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-22 02:15
ComboFix2.txt 2009-11-26 01:10
.
Pre-Run: 46,555,459,584 bytes free
Post-Run: 47,568,580,608 bytes free
.
- - End Of File - - 5498EE1703427F4FC437FEE9804E69A1

Hi Dave
I have run ComboFix again since the 5:35PM run that produced the log above. It didn't complain about anything and Norton and a quick scan using MBAM didn't find anything though while it was running Norton Internet Security (Auto-Protect) said it was processing a security risk Trojan.ADH which it quarantined. I'm running a full scan of MBAM on all my desktop disks overnight.
Should I run SAS and DDS again and maybe apply any fixes they recommend?
All the best
Clive

Should I run SAS and DDS again and maybe apply any fixes they recommend?

You can run SAS and MBAM again, if you wish. I don't need to see DDS logs.

Re-running ComboFix to remove infections:

• Close any open browsers.
  
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Open notepad and copy/paste the text in the quotebox below into it:
  

  
  KillAll::
  
  Folder::
  c:\windows\$NtUninstallKB20212$
  
  

  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
  
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see the log from this script.
  

***************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

Hi Dave
It seems that with your very knowledgeable help we might be getting somewhere. I ran combofix as you instructed then sysprotantirootkit and its log is pasted below.
The system seems to be behaving well - no messages and only one blue screen on Tuesday. None since.
Best regards
Clive
==============================================
SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: spas.sys
Service Name: ---
Module Base: F751A000
Module End: F760D000
Hidden: Yes

Module Name: SYMDS.SYS
Service Name: SymDS
Module Base: F7415000
Module End: F746C000
Hidden: Yes

Module Name: SYMEFA.SYS
Service Name: SymEFA
Module Base: F7322000
Module End: F7403000
Hidden: Yes

Module Name: Combo-Fix.sys
Service Name: ---
Module Base: F769E000
Module End: F76AD000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\a2uvq3yu.SYS
Service Name: ---
Module Base: F6BF0000
Module End: F6C29000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: F555E000
Module End: F5576000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: F7B70000
Module End: F7B72000
Hidden: Yes

Module Name: \??\C:\ComboFix\catchme.sys
Service Name: catchme
Module Base: BA581000
Module End: BA589000
Hidden: Yes

Module Name: \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Service Name: ---
Module Base: F7BE4000
Module End: F7BE6000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 8679A008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 86750A30
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 86738D40
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAssignProcessToJobObject
Address: 867750F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 86ADA628
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: F5910980
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwCreateMutant
Address: 867A2120
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 867C5100
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 86777998
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDebugActiveProcess
Address: 867751B8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: F5910C00
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDeleteValueKey
Address: F5910F10
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDuplicateObject
Address: 86AA3918
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwEnumerateKey
Address: F7533DA4
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwEnumerateValueKey
Address: F7534132
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwFreeVirtualMemory
Address: 8679BB50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 867A2008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 8679A110
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 86817820
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 867B29A0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 867BE008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenKey
Address: F751B0C0
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwOpenProcess
Address: 86734718
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcessToken
Address: 867B15F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 867BE050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 867B20E8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwProtectVirtualMemory
Address: 867C5008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwQueryKey
Address: F753420A
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwQueryValueKey
Address: F753408A
Driver Base: F751A000
Driver End: F760D000
Driver Name: spas.sys

Function Name: ZwResumeThread
Address: 86738138
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 867A3050
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 867A3130
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 8677E0F0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: F5911160
Driver Base: F58FA000
Driver End: F5920000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 867BE130
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 86757068
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 86753708
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 86757148
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 867B28E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 86738C50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

Hi Dave
Unfortunately I can no longrer connect my desktop to the internet. I have Cisco's Network Magic installed on all of my machines and following its trouble shooting guide (plus sometimes actually having to unscrew thecoax cable from the Comcast cable modem) has always got me out of trouble before. The Desktop is connected by Ethernet as is my wife's desktop which is still working fine so I am at a bit of a loss to know what to do next. The fault seemed to occur after a run of SAS. I'm currently uninstalling the Realtek Ethernet driver and rebooting - it just found the Ethernet hardware after reboot so let's hope that works. Now I have to reboot again to satisfy "the software that supports your hardware" - I suppose that means Network Magic or maybe the driver?? Isn't this fun??
While I'm waiting for the 2nd reboot I have a question - how the hell do you know all this stuff - is this your day job too or just a (very serious) hobby?
OH lovely! - now Network Magic and IE tools can't detect the Ethernet Adapter even though it shows OK under Device Manager. I don't seem to have any good software for probing network Adapters - any suggestions?
I can download stuff on my laptop which is what I am using to communicate with you and the rest of the world.
Best regards
Clive

how the hell do you know all this stuff - is this your day job too or just a (very serious) hobby?

Over three years of training on-line. This is just a hobby. I couldn't get rich doing this for a living as everything is free.

Please download MiniToolBox to Desktop and run it.



Checkmark the following boxes:

• Flush DNS
  
• Report IE Proxy Settings
  
• Reset IE Proxy Settings
  
• List content of Hosts
  
• List IP Configuration
  
• Lst Last 10 Event Viewer Errors
  
• List Users, Partitions and Memory Size
  

Click Go and copy/paste the log (Result.txt) into your next post. .

Dear Dave
I just came online to thank you for all your help and wish you a very Merry Christmas - didn't expect a note from you on Christmas Eve!
Thanks very much!
Clearly you are not in this for the money - it's nice to communicate with someone who might be even more altruistic than I am - that's a rarity.
I'll do as you suggest with the MiniToolBox
Have a great Christmas Day.
Cheers
Clive

rich_hilton wrote:

Dear Dave
I just came online to thank you for all your help and wish you a very Merry Christmas - didn't expect a note from you on Christmas Eve!
Thanks very much!
Clearly you are not in this for the money - it's nice to communicate with someone who might be even more altruistic than I am - that's a rarity.
I'll do as you suggest with the MiniToolBox
Have a great Christmas Day.
Cheers
Clive

Malware never takes a holiday and neither do I. Merry Christmas.

Hi Dave
Here's the result of the MiniToolKit run.
I noticed this in the Result:-
========================================
Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
========================================
I believe NetBT was spotted by one of the antivirus/Antispy applications as containing a Trojan and may have been erased or quarantined.
Is that possible and possibly the reason my networks adapter isn't working????
In a previous communication I said :-
======================================
Hi Dave
I could only run ComboFix
It discovered that Rootkit.ZeroAccess had inserted itself into the tcp/ip stack and attempted to fix it.
======================================
That sounds very suspect too! Might have stuffed up the tcp/ip communication.
Best regards
Clive


MiniToolBox by Farbar
Ran by Clive (administrator) on 26-12-2011 at 11:41:13
Microsoft Windows XP Home Edition Service Pack 3 (X86)

***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration




========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================

127.0.0.1 localhost

========================= IP Configuration: ================================

Realtek RTL8139 Family PCI Fast Ethernet NIC = Local Area Connection 3 (Connected)
1394 Net Adapter = 1394 Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip



popd
# End of interface IP configuration




Windows IP Configuration



Server: UnKnown
Address: 127.0.0.1

Ping request could not find host google.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host yahoo.com. Please check the name and try again.

Server: UnKnown
Address: 127.0.0.1

Ping request could not find host bleepingcomputer.com. Please check the name and try again.



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
===========================================================================
Persistent Routes:
None

========================= Event log errors: ===============================

Application errors:
==================
Error: (12/24/2011 11:28:23 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x042c22c8.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/23/2011 04:31:42 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module , version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/22/2011 00:11:29 PM) (Source: Application Error) (User: )
Description: Fault bucket 1272456061.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (12/22/2011 00:11:27 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x676c8062.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/22/2011 10:33:34 AM) (Source: Userenv) (User: SYSTEM)SYSTEM
Description: Windows cannot unload your registry file. The memory used by the registry has not been freed. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account. If this problem persists, contact your administrator.


DETAIL - Insufficient system resources exist to complete the requested service.

Error: (12/21/2011 07:56:09 PM) (Source: Application Error) (User: )
Description: Fault bucket 862106380.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (12/21/2011 07:55:57 PM) (Source: Application Error) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module unknown, version 0.0.0.0, fault address 0x05d522c8.
Processing media-specific event for [explorer.exe!ws!]

Error: (12/21/2011 06:03:27 PM) (Source: crypt32) (User: )
Description: Failed auto update retrieval of third-party root list sequence number from: with error: This operation returned because the timeout period expired.

Error: (12/21/2011 05:34:59 PM) (Source: SENS) (User: )
Description: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.

ServiceStart(): SensInitialize() failed

Error: (12/21/2011 05:33:04 PM) (Source: MySQL) (User: )
Description: Aborting


System errors:
=============
Error: (12/26/2011 04:30:53 AM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (12/26/2011 04:30:25 AM) (Source: Service Control Manager) (User: )
Description: The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error:
%%1053

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Symantec Eraser Service service to connect.

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT

Error: (12/26/2011 04:30:17 AM) (Source: Service Control Manager) (User: )
Description: The DHCP Client service depends on the following nonexistent service: NetBT

Error: (12/25/2011 08:40:41 PM) (Source: DCOM) (User: SYSTEM)
Description: The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register with DCOM within the required timeout.

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: The Symantec Eraser Service service failed to start due to the following error:
%%1053

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: Timeout (30000 milliseconds) waiting for the Symantec Eraser Service service to connect.

Error: (12/25/2011 08:40:02 PM) (Source: Service Control Manager) (User: )
Description: The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT


Microsoft Office Sessions:
=========================
Error: (12/24/2011 11:28:23 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0042c22c8

Error: (12/23/2011 04:31:42 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.55120.0.0.000000000

Error: (12/22/2011 00:11:29 PM) (Source: Application Error)(User: )
Description: 1272456061

Error: (12/22/2011 00:11:27 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.0676c8062

Error: (12/22/2011 10:33:34 AM) (Source: Userenv)(User: SYSTEM)SYSTEM
Description: Insufficient system resources exist to complete the requested service.

Error: (12/21/2011 07:56:09 PM) (Source: Application Error)(User: )
Description: 862106380

Error: (12/21/2011 07:55:57 PM) (Source: Application Error)(User: )
Description: explorer.exe6.0.2900.5512unknown0.0.0.005d522c8

Error: (12/21/2011 06:03:27 PM) (Source: crypt32)(User: )
Description: http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txtThis operation returned because the timeout period expired.

Error: (12/21/2011 05:34:59 PM) (Source: SENS)(User: )
Description: Event System Win32 Error: No service is operating at the destination network endpoint on the remote system.

ServiceStart(): SensInitialize() failed

Error: (12/21/2011 05:33:04 PM) (Source: MySQL)(User: )
Description: Aborting


========================= Memory info: ===================================

Percentage of memory in use: 31%
Total physical RAM: 1023.53 MB
Available physical RAM: 700.3 MB
Total Pagefile: 2461.45 MB
Available Pagefile: 1752.55 MB
Total Virtual: 2047.88 MB
Available Virtual: 1973.26 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:322.27 GB) (Free:43.81 GB) NTFS
3 Drive d: () (Fixed) (Total:143.49 GB) (Free:11.64 GB) NTFS
7 Drive h: (DRV2_VOL2) (Fixed) (Total:97.62 GB) (Free:0.83 GB) NTFS
8 Drive i: (DRV2_VOL1) (Fixed) (Total:14.16 GB) (Free:1.52 GB) FAT32
9 Drive j: (FreeAgent Drive) (Fixed) (Total:1397.26 GB) (Free:0.05 GB) NTFS
10 Drive k: (FreeAgent Drive) (Fixed) (Total:698.64 GB) (Free:70.45 GB) NTFS
11 Drive l: () (Removable) (Total:7.45 GB) (Free:0.08 GB) FAT32
12 Drive m: (Iomega HDD) (Fixed) (Total:1863.01 GB) (Free:732.77 GB) NTFS

========================= Users: ========================================

User accounts for \\CB-SONY-DESKTOP

Administrator ASPNET Clive
Guest HelpAssistant SUPPORT_388945a0


**** End of log ****

Please download Farbar Service Scanner and run it on the computer with the issue.

• Press "Scan".
  
• It will create a log (FSS.txt) in the same directory the tool is run.
  
• Please copy and paste the log to your reply.
  

Hi Dave
Here is the result of the Farbar scan.
Registry keys missing
Best regards
Clive
++++++++++++++++++++++++++++++++++++++++
Farbar Service Scanner
Ran by Clive (administrator) on 26-12-2011 at 22:10:18
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit

Please run FSS again. It would appear that some of the log is missing.

Hi Dave
I checked all the boxes this time.
Cheers
Clive
==========================================
Farbar Service Scanner
Ran by Clive (administrator) on 27-12-2011 at 20:43:38
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

Following steps involve registry editing. Please create new restore point before proceeding!!!

How to:
XP - Create new Restore Point
Vista and Seven - Create a new Restore Point

Download XP.zip file from here: XP.zip
Unzip the file.
You'll find six files inside.
Right click on afd.reg file, click "Merge".
Allow registry merge.
Restart computer and see if internet works.

If not ask please post fresh Farbar Service Scanner log.

Hi Dave
Sorry - that didn't work.
I was interrupted for a long time and forgot to create a restore point - fortunately nothing seemed to crash and I have created one now.
It seems like the NetBt is the problem??? As I said earlier I think it got clobbered by one of the AV/AS applications which found a trojan in it. I found this link which sounds like my problem to me but it horrifies me how much effort seems to be involved in rectifying it!
Whaddayathink? ( I'm an Aussie - but have lived for nearly 15 years about 20 miles North of the Golden Gate bridge.

http://www.christowles.com/2011/11/how-to-reinstall-netbt-on-windows-xp.html

Below is the new Farber log
All the best.
Clive
=====================================
Farbar Service Scanner
Ran by Clive (administrator) on 28-12-2011 at 18:45:53
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

Hello again Dave
I've looked at my registry and the entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT
is missing.
I have obtained a copy of NetBt.reg (see below) from the ChristOwles link in my last post. What, if anything, should I do with it?
Can I merge it with the registry as we did before?
=========================================
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000001
"Tag"=dword:00000006
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,\
52,00,49,00,56,00,45,00,52,00,53,00,5c,00,6e,00,65,00,74,00,62,00,74,00,2e,\
00,73,00,79,00,73,00,00,00
"DisplayName"="NetBios over Tcpip"
"Group"="PNP_TDI"
"DependOnService"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"DependOnGroup"=hex(7):00,00
"Description"="NetBios over Tcpip"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Linkage]
"OtherDependencies"=hex(7):54,00,63,00,70,00,69,00,70,00,00,00,00,00
"Bind"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,\
00,69,00,70,00,5f,00,7b,00,34,00,38,00,43,00,35,00,37,00,43,00,39,00,44,00,\
2d,00,38,00,41,00,41,00,34,00,2d,00,34,00,37,00,44,00,45,00,2d,00,41,00,36,\
00,45,00,37,00,2d,00,38,00,35,00,39,00,46,00,30,00,35,00,44,00,44,00,39,00,\
30,00,43,00,34,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,38,00,38,00,33,00,36,00,\
34,00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,34,00,45,00,41,00,32,\
00,2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,00,38,00,43,00,31,00,\
45,00,35,00,33,00,33,00,35,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,\
00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,30,00,38,00,\
30,00,39,00,41,00,38,00,43,00,30,00,2d,00,38,00,46,00,35,00,44,00,2d,00,34,\
00,37,00,30,00,46,00,2d,00,38,00,44,00,30,00,44,00,2d,00,30,00,45,00,33,00,\
35,00,37,00,31,00,33,00,33,00,31,00,30,00,36,00,37,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,\
7b,00,41,00,44,00,33,00,37,00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,\
00,32,00,2d,00,34,00,32,00,42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,\
43,00,44,00,38,00,31,00,43,00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,\
00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,\
69,00,70,00,5f,00,7b,00,46,00,44,00,31,00,36,00,36,00,38,00,34,00,37,00,2d,\
00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,45,00,33,00,2d,00,41,00,41,00,\
35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,00,39,00,41,00,30,00,34,00,31,\
00,31,00,33,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,\
00,41,00,34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,\
2d,00,39,00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,\
00,33,00,35,00,45,00,31,00,36,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,32,00,30,00,44,\
00,42,00,36,00,35,00,31,00,31,00,2d,00,30,00,39,00,43,00,44,00,2d,00,34,00,\
45,00,37,00,39,00,2d,00,41,00,43,00,38,00,31,00,2d,00,42,00,35,00,41,00,30,\
00,38,00,33,00,45,00,43,00,41,00,33,00,31,00,36,00,7d,00,00,00,5c,00,44,00,\
65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,\
00,45,00,44,00,35,00,45,00,42,00,33,00,35,00,42,00,2d,00,32,00,37,00,30,00,\
44,00,2d,00,34,00,34,00,32,00,46,00,2d,00,39,00,42,00,35,00,41,00,2d,00,32,\
00,45,00,38,00,45,00,30,00,45,00,38,00,32,00,37,00,44,00,32,00,44,00,7d,00,\
00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,54,00,63,00,70,00,69,\
00,70,00,5f,00,7b,00,43,00,36,00,39,00,45,00,46,00,36,00,30,00,39,00,2d,00,\
46,00,35,00,36,00,35,00,2d,00,34,00,43,00,45,00,42,00,2d,00,42,00,34,00,37,\
00,44,00,2d,00,37,00,31,00,44,00,42,00,39,00,33,00,45,00,41,00,31,00,39,00,\
43,00,46,00,7d,00,00,00,00,00
"Route"=hex(7):22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,34,\
00,38,00,43,00,35,00,37,00,43,00,39,00,44,00,2d,00,38,00,41,00,41,00,34,00,\
2d,00,34,00,37,00,44,00,45,00,2d,00,41,00,36,00,45,00,37,00,2d,00,38,00,35,\
00,39,00,46,00,30,00,35,00,44,00,44,00,39,00,30,00,43,00,34,00,7d,00,22,00,\
00,00,22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,36,00,38,\
00,38,00,33,00,36,00,34,00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,\
34,00,45,00,41,00,32,00,2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,\
00,38,00,43,00,31,00,45,00,35,00,33,00,33,00,35,00,41,00,7d,00,22,00,00,00,\
22,00,54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,30,00,38,00,30,\
00,39,00,41,00,38,00,43,00,30,00,2d,00,38,00,46,00,35,00,44,00,2d,00,34,00,\
37,00,30,00,46,00,2d,00,38,00,44,00,30,00,44,00,2d,00,30,00,45,00,33,00,35,\
00,37,00,31,00,33,00,33,00,31,00,30,00,36,00,37,00,7d,00,22,00,00,00,22,00,\
54,00,63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,41,00,44,00,33,00,37,\
00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,00,32,00,2d,00,34,00,32,00,\
42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,43,00,44,00,38,00,31,00,43,\
00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,00,22,00,00,00,22,00,54,00,\
63,00,70,00,69,00,70,00,22,00,20,00,22,00,7b,00,46,00,44,00,31,00,36,00,36,\
00,38,00,34,00,37,00,2d,00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,45,00,\
33,00,2d,00,41,00,41,00,35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,00,39,\
00,41,00,30,00,34,00,31,00,31,00,33,00,7d,00,22,00,00,00,22,00,54,00,63,00,\
70,00,69,00,70,00,22,00,20,00,22,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,\
00,41,00,34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,\
2d,00,39,00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,\
00,33,00,35,00,45,00,31,00,36,00,7d,00,22,00,00,00,22,00,54,00,63,00,70,00,\
69,00,70,00,22,00,20,00,22,00,7b,00,32,00,30,00,44,00,42,00,36,00,35,00,31,\
00,31,00,2d,00,30,00,39,00,43,00,44,00,2d,00,34,00,45,00,37,00,39,00,2d,00,\
41,00,43,00,38,00,31,00,2d,00,42,00,35,00,41,00,30,00,38,00,33,00,45,00,43,\
00,41,00,33,00,31,00,36,00,7d,00,22,00,00,00,22,00,54,00,63,00,70,00,69,00,\
70,00,22,00,20,00,22,00,4e,00,64,00,69,00,73,00,57,00,61,00,6e,00,49,00,70,\
00,22,00,00,00,00,00
"Export"=hex(7):5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,\
00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,34,00,38,00,\
43,00,35,00,37,00,43,00,39,00,44,00,2d,00,38,00,41,00,41,00,34,00,2d,00,34,\
00,37,00,44,00,45,00,2d,00,41,00,36,00,45,00,37,00,2d,00,38,00,35,00,39,00,\
46,00,30,00,35,00,44,00,44,00,39,00,30,00,43,00,34,00,7d,00,00,00,5c,00,44,\
00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,\
54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,36,00,38,00,38,00,33,00,36,00,34,\
00,45,00,32,00,2d,00,43,00,35,00,44,00,43,00,2d,00,34,00,45,00,41,00,32,00,\
2d,00,41,00,30,00,30,00,46,00,2d,00,44,00,32,00,38,00,38,00,43,00,31,00,45,\
00,35,00,33,00,33,00,35,00,41,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,\
63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,\
00,70,00,5f,00,7b,00,30,00,38,00,30,00,39,00,41,00,38,00,43,00,30,00,2d,00,\
38,00,46,00,35,00,44,00,2d,00,34,00,37,00,30,00,46,00,2d,00,38,00,44,00,30,\
00,44,00,2d,00,30,00,45,00,33,00,35,00,37,00,31,00,33,00,33,00,31,00,30,00,\
36,00,37,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,\
00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,\
41,00,44,00,33,00,37,00,39,00,30,00,32,00,33,00,2d,00,33,00,33,00,45,00,32,\
00,2d,00,34,00,32,00,42,00,41,00,2d,00,39,00,33,00,39,00,39,00,2d,00,43,00,\
44,00,38,00,31,00,43,00,45,00,30,00,46,00,45,00,30,00,33,00,38,00,7d,00,00,\
00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,\
54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,46,00,44,00,31,00,36,\
00,36,00,38,00,34,00,37,00,2d,00,37,00,42,00,31,00,30,00,2d,00,34,00,35,00,\
45,00,33,00,2d,00,41,00,41,00,35,00,31,00,2d,00,38,00,37,00,32,00,33,00,44,\
00,39,00,41,00,30,00,34,00,31,00,31,00,33,00,7d,00,00,00,5c,00,44,00,65,00,\
76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,\
00,70,00,69,00,70,00,5f,00,7b,00,42,00,30,00,43,00,39,00,35,00,33,00,41,00,\
34,00,2d,00,42,00,45,00,31,00,35,00,2d,00,34,00,41,00,39,00,46,00,2d,00,39,\
00,31,00,34,00,31,00,2d,00,34,00,31,00,45,00,39,00,45,00,46,00,36,00,33,00,\
35,00,45,00,31,00,36,00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,\
00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,\
5f,00,7b,00,32,00,30,00,44,00,42,00,36,00,35,00,31,00,31,00,2d,00,30,00,39,\
00,43,00,44,00,2d,00,34,00,45,00,37,00,39,00,2d,00,41,00,43,00,38,00,31,00,\
2d,00,42,00,35,00,41,00,30,00,38,00,33,00,45,00,43,00,41,00,33,00,31,00,36,\
00,7d,00,00,00,5c,00,44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,\
74,00,42,00,54,00,5f,00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,45,00,44,\
00,35,00,45,00,42,00,33,00,35,00,42,00,2d,00,32,00,37,00,30,00,44,00,2d,00,\
34,00,34,00,32,00,46,00,2d,00,39,00,42,00,35,00,41,00,2d,00,32,00,45,00,38,\
00,45,00,30,00,45,00,38,00,32,00,37,00,44,00,32,00,44,00,7d,00,00,00,5c,00,\
44,00,65,00,76,00,69,00,63,00,65,00,5c,00,4e,00,65,00,74,00,42,00,54,00,5f,\
00,54,00,63,00,70,00,69,00,70,00,5f,00,7b,00,43,00,36,00,39,00,45,00,46,00,\
36,00,30,00,39,00,2d,00,46,00,35,00,36,00,35,00,2d,00,34,00,43,00,45,00,42,\
00,2d,00,42,00,34,00,37,00,44,00,2d,00,37,00,31,00,44,00,42,00,39,00,33,00,\
45,00,41,00,31,00,39,00,43,00,46,00,7d,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]
"NbProvider"="_tcp"
"NameServerPort"=dword:00000089
"CacheTimeout"=dword:000927c0
"BcastNameQueryCount"=dword:00000003
"BcastQueryTimeout"=dword:000002ee
"NameSrvQueryCount"=dword:00000003
"NameSrvQueryTimeout"=dword:000005dc
"Size/Small/Medium/Large"=dword:00000001
"SessionKeepAlive"=dword:0036ee80
"TransportBindName"="\\Device\\"
"EnableLMHOSTS"=dword:00000001
"DhcpNodeType"=dword:00000008

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Security]
"Security"=hex:01,00,14,80,e8,00,00,00,f4,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,b8,00,08,00,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,\
05,0b,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,\
23,02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,20,\
02,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,25,02,\
00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,05,12,00,00,00,00,00,14,\
00,40,00,00,00,01,01,00,00,00,00,00,05,13,00,00,00,00,00,14,00,40,00,00,00,\
01,01,00,00,00,00,00,05,14,00,00,00,00,00,18,00,9d,01,02,00,01,02,00,00,00,\
00,00,05,20,00,00,00,2c,02,00,00,01,01,00,00,00,00,00,05,12,00,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Enum]
"0"="Root\\LEGACY_NETBT\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

Can I merge it with the registry as we did before?

Please try these first.

Download WinSockXPFix to fix broken LSP chain for XP (if needed).

• Double click on WinsockXPFix.
  
• Click Fix.
  

************************************************
Go Start>Run (Start search in Vista and 7), type in:
cmd
Click OK (in Vista, while holding CTRL, and SHIFT, press Enter).

At Command Prompt, type in:
netsh int ip reset reset.log
Hit Enter.
Type in:
netsh winsock reset catalog
Hit Enter.

Please ignore the two instructions I posted in my previous post and try the following.

The following steps involve registry editing. Please create new restore point before proceeding!!!

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Download XP.zip file from here: XP.zip
Unzip the file.
You'll find six files inside.
Right click on Legacy_netbt.reg file, click "Merge".
Allow registry merge.

Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
Restart computer.

Hi Dave
I just saw your new 4:03 PM message as I tried to post mine below.
Please have a look at what I've said and I'll have a look at yours.
Cheers
CB
============================
Hi Dave
Well I tried that and have not seen any joy.
I installed a USB wireless stick and it seems to communicate with the router just fine but no internet connection. Farbar says still no NetBt (do we really need that?).
I can't continue this much longer - I need to be able to use my desktop for certain tasks that I've been unable to do for 3 weeks.
I'm thinking of writing an DriveImage XML .xml image from 2009 back onto the C drive and using that as a starting point to rebuild or maybe just use the Sony system restore disks????
But the PCPIP seems to be the only problem?
How close are we do you think?
What about the Windows Recovery option on bootup?
Best regards
Clive
========================================
Latest Farbar output:-


Farbar Service Scanner
Ran by Clive (administrator) on 29-12-2011 at 16:45:13
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking LEGACY_NetBt: Attention! Unable to open LEGACY_NetBt\0000 registry key. The key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

do we really need that?).

Yes. This what the latest infections does. It removes necessary registry keys. If you follow my latest set of instructions, I'm sure it will fix the problem.

Hi Dave
I tried your 4:03PM suggestion but still no joy. The Legacy_NetBt key exists (here's the entry :- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETBT) and the entries inside of it look reasonable compared to the Legacy_NetBios key which I understand serves a similar function). But the FSS output below says that the NetBt registry key can't be opened????
Maybe this Network Diagnostics for Windows XP (courtesy of IE) holds the answer to someone aho understands what it's trying to say. However, your 11:09 post which I followed looked like it should have fixed that shouldn't it?
Regards
CB
P.S. I took the Dlink DWA130 USB wireless Stick out before running this. Note also that the 1394 is just a connection to an external HDD.
=================================================
Last diagnostic run time: 12/29/11 17:42:08 WinSock Diagnostic
WinSock status

info Error attmpting to validate the Winsock base providers: 2
error Not all base service provider entries could be found in the winsock catalog. A reset is needed.
info Redirecting user to support call



Network Adapter Diagnostic
Network location detection

info Using home Internet connection
Network adapter identification

info Network connection: Name=Local Area Connection 3, Device=Realtek RTL8139 Family PCI Fast Ethernet NIC, MediaType=LAN, SubMediaType=LAN
info Network connection: Name=1394 Connection, Device=1394 Net Adapter, MediaType=LAN, SubMediaType=1394
info Ethernet connection selected
Network adapter status

info Network connection status: Connected



HTTP, HTTPS, FTP Diagnostic
HTTP, HTTPS, FTP connectivity

warn FTP (Passive): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.microsoft.com: The server name or address could not be resolved
warn FTP (Active): Error 12007 connecting to ftp.microsoft.com: The server name or address could not be resolved
warn HTTP: Error 12007 connecting to www.hotmail.com: The server name or address could not be resolved
warn HTTPS: Error 12007 connecting to www.passport.net: The server name or address could not be resolved
error Could not make an HTTP connection.
error Could not make an HTTPS connection.
error Could not make an FTP connection.
=================================================
====================================================
Farbar Service Scanner
Ran by Clive (administrator) on 29-12-2011 at 17:29:49
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) PSched(7) RFCOMM(9) SYMTDI(8) Tcpip(4)
0x09000000050000000100000002000000030000000400000008000000060000000700000009000000

**** End of log ****

But the FSS output below says that the NetBt registry key can't be opened????

Did you do this first part?

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.

Yes - and all the rest of it as well

I'm as sure as I can be that I followed all the instructions today to the letter.

Will you please try that fix again. It is supposed to fix your connection problem

Hi Dave
Well I went carefully through that process again and still FSS says Unable to open NetBt registry key.
I have screen shots of the process as I actioned it but don't see any way to send them to you. Sometimes there is a file attachment box here sometimes not??? Not one here right now.
FSS complained that there was an Autolt Error on Line 2443 when I ran it "Error: Variable used without being declared" so I downloaded FSS.exe afresh from the link you gave me and used the new version but still got the same error. Cheez this is painful - I never could understand when I heard that some people just dumped their virus-laden computers and went and bought a new one - now I do! In fact, although I still want to get this machine back in its right mind, I've decided that it is time to replace it as my main desktop after nearly nine years - It's amazing , given the grunty work I do on it like SolidWorks and Mefisto microwave models, that it has lasted me as well as it has. I have, very reluctantly, sprung for a new machine which is being built as I write (I hope).
Best regards
Clive
P.S. I should probably mentioned previously that the XP machine has not been booting cleanly for several years since I had a hard drive crash and replaced it with a new HDD and wrote the old (DriveImage XML) image back to the new drive. It kinda worked but I have to hit F2 as it is booting and then boot from within the BIOS. The boot order is correct. After - I'm afraid to say it really - 51 years dealing with computers on a daily basis I have always been able to troubleshoot things that aren't right and get myself out of trouble but this time - no!) Yeah! 51 years! I'll be 73 in February - am I the oldest geek in the world? I'm surely not. But I'll swear to you I am not making any errors. Not Ga Ga yet!


==================================================
Farbar Service Scanner
Ran by Clive (administrator) on 30-12-2011 at 17:35:25
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

NetBt Service is not running. Checking service configuration:
Checking Start type: Attention! Unable to open NetBt registry key. The service key does not exist.
Checking ImagePath: Attention! Unable to open NetBt registry key. The service key does not exist.


Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable

Hi Again Dave
I found this advice on http://www.bleepingcomputer.com/forums/topic434831.html
================================================
You have missing/corrupted two registry keys.

Following steps involve registry editing. Please create new restore point before proceeding!!!
How to:
XP - http://support.microsoft.com/kb/948247
Vista and Seven - http://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/

Download XP.zip file from here: http://www.smartestcomputing.us.com/files/download/9-registry-network-keys/
Unzip the file.
You'll find several files inside.
Right click on netbt.reg file, click "Merge".
Allow registry merge.

Then....

Please go to Start=>Run (alternatively use Windows key+R), type regedit and click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control.
Click Apply and OK.
Go back to files you download in previous step.
Double-click LEGACY_netbt.reg and confirm the prompt.
Please go back to the the Root key again while Everyone is selected remove check mark in the box under Allow next to Full Control and close the registry.
============================================

So I followed it (note that includes the action
"Right click on netbt.reg file, click "Merge".
Allow registry merge."
which we hadn't been doing.

Now FSS gives:-
===============================================
Farbar Service Scanner
Ran by Clive (administrator) on 30-12-2011 at 18:39:28
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
There is no connection to network.
Attempt to access Google IP returned error: Google IP is unreachable
Attempt to access Yahoo IP returend error: Yahoo IP is unreachable
=================================================
So it's not complaining about being unable to open the registry key NetBt anymore - though it still isn't connecting to the internet. However, maybe if I do my tricks with unplugging the router and cable modem it might fetch an IP address and work OK ( when my wife doesn't need the internet for her real estate transactions going on now).
Any other thoughts?
Best regards
Clive

Hi Dave
Well the good news is that, when I uninstalled and reinstalled my Ethernet adapter, I could then talk to the web. (The Device Manager previously indicated all was well with the Ethernet adapter but I thought I should do the uninstall/reinstall to make sure and - voila!)
So now the question is "in what order would you suggest I should run SAS and MBAM and whatever else to ensure (as far as possible) that I can use financial software like Quicken safely?"
Thanks again so much for your help.
Is there a useful tutorial on all this stuff?
Best regards
Clive

So now the question is "in what order would you suggest I should run SAS and MBAM

It really doesn't matter.

Is there a useful tutorial on all this stuff?

You might be able to find something by googling.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt