xp security 2012 virus

Hi

Having just have you guys remove a rootkit infection (thank you) on my desktop, yesterday this virus infected my laptop.

My laptop actually belongs to a school, but the IT tech has kindly given me his login as he is off on holiday for two weeks so will not be able to help until the end of the month. With my login, the virus has completely hijacked the internet pages and will not let me do anything online. Would you please help me? I have tried to run the OTL scan as suggested on the 'please read this' page and but it keeps on freezing. However, I am not sure if the OTL will find what it needs if I am logged in as someone else? Please help!

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*****************************************************************
The tech may have put some restrictions on your computer which prevents our programs from running but we can give it a try. Please boot your computer in Safe Mode with NetWorking, download, install and try running the program below. Reboot in Normal mode and try running it again.

Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Thank you for replying. The computer would not let me log in in safe mode for some reason so I just ran the scan logged in as the tech and here is the log. One point, although the laptop says windows XP, the tech says it is actually a progamme called RM which looks like XP but has some slighlty different functions. Don't know if this is relevant.

Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.13.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
SystemAdmin :: LT25 [administrator]

13/01/2012 09:07:24
mbam-log-2012-01-13 (09-07-24).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 287554
Time elapsed: 39 minute(s), 33 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 6
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA1-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07B18EA9-A523-4961-B6BB-170DE4475CCA} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks|{00A6FAF6-072E-44cf-8957-5838F569A31D} (Adware.MyWebSearch) -> Data: -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Data: 0 -> Quarantined and deleted successfully.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\clerk\Local Settings\Application Data\xsw.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Security Center|UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\clerk\Local Settings\Application Data\xsw.exe (Spyware.Agent) -> Quarantined and deleted successfully.

(end)


Thank you

SUPERAntiSpyware

If you already have SUPERAntiSpyware be sure to check for updates before scanning!

Download SuperAntispyware Free Edition (SAS)
* Double-click the icon on your desktop to run the installer.
* When asked to Update the program definitions, click Yes
* If you encounter any problems while downloading the updates, manually download and unzip them from here
* Next click the Preferences button.

•Under Start-Up Options uncheck Start SUPERAntiSpyware when Windows starts
* Click the Scanning Control tab.
* Under Scanner Options make sure only the following are checked:

•Close browsers before scanning
•Scan for tracking cookies
•Terminate memory threats before quarantining
•Please leave the others unchecked

•Click the Close button to leave the control center screen.

* On the main screen click Scan your computer
* On the left check the box for the drive you are scanning.
* On the right choose Perform Complete Scan
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete a summary box will appear. Click OK
* Make sure everything in the white box has a check next to it, then click Next
* It will quarantine what it found and if it asks if you want to reboot, click Yes

•To retrieve the removal information please do the following:
•After reboot, double-click the SUPERAntiSpyware icon on your desktop.
•Click Preferences. Click the Statistics/Logs tab.

•Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.

•It will open in your default text editor (preferably Notepad).
•Save the notepad file to your desktop by clicking (in notepad) File > Save As...

* Save the log somewhere you can easily find it. (normally the desktop)
* Click close and close again to exit the program.
*Copy and Paste the log in your post.
**********************************************
Download DDS from HERE or HERE and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.
* Save both reports to your desktop.
* The instructions here ask you to attach the Attach.txt.



1) DDS.txt
2) Attach.txt
Instead of attaching, please copy/past both logs into your Thread

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copying and pasting it into the reply.

•Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE .Then post your DDS logs. (DDS.txt and Attach.txt )

OK Superdave I have run the scans and here are the 3 logs copied and pasted as requested. Thank you.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/14/2012 at 09:22 AM

Application Version : 5.0.1142

Core Rules Database Version : 8134
Trace Rules Database Version: 5946

Scan type : Quick Scan
Total Scan Time : 00:07:05

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 568
Memory threats detected : 0
Registry items scanned : 31444
Registry threats detected : 0
File items scanned : 11410
File threats detected : 8

Adware.Tracking Cookie
C:\Documents and Settings\systemadmin\Cookies\systemadmin@ad.yieldmanager[1].txt [ /ad.yieldmanager ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@atdmt[2].txt [ /atdmt ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@collective-media[2].txt [ /collective-media ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@doubleclick[2].txt [ /doubleclick ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@invitemedia[1].txt [ /invitemedia ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@media6degrees[1].txt [ /media6degrees ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@revsci[1].txt [ /revsci ]
C:\Documents and Settings\systemadmin\Cookies\systemadmin@statcounter[2].txt [ /statcounter ]

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by SystemAdmin at 9:25:47 on 2012-01-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.978 [GMT 0:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Research Machines\Network Management\RMC3IEngine\bin\utsU.exe
C:\Program Files\Research Machines\Network Management\RM LST SAG\bin\RM LST Station Helper Service.exe
C:\Program Files\Research Machines\Network Management\Printer Credits\RMClientEvtService.exe
C:\Program Files\Research Machines\Network Management\Event Forwarding Service\RMEventForwardingService.exe
C:\Program Files\Research Machines\Classmate\PolicyMerger\PolicyMergerS.exe
C:\Program Files\Research Machines\Network Management\Printer Wrapper\RMPrinterWrapper.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\H+H\Virtual CD 4\System\vcdsecs.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Research Machines\Classmate\PolicyMerger\PolicyMerger.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\PDF Complete\pdfsty.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\PROGRA~1\H_H~1\VIRTUA~1\System\VCDPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apple\QuickTime 6.5\qttask.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Research Machines\Network Management\Volume Control\SafeVol.exe
C:\Program Files\Research Machines\Network Management\Logoff\rmlogoff.exe
C:\Program Files\Research Machines\Network Management\UserType Indicator\UserTypeIndicator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://login.northants.embc.uk.com
uLocal Page = c:\winnt\system32\blank.htm
uDefault_Page_URL = res://iesetup.dll/softAdmin.htm
uInternet Connection Wizard,ShellNext = https://kss-sr-001/manage/school/default.asp?SchoolLDAP=LDAP://OU=KSS,OU=ESTABLISHMENTS,DC=KSSCC3,DC=INTERNAL&SchoolOU=KSS&LDAP=LDAP://OU=KSS,OU=ESTABLISHMENTS,DC=KSSCC3,DC=INTERNAL&OU=KSS
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat reader 6.0\reader\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray
mRun: [PTHOSTTR] c:\program files\hewlett-packard\hp protecttools security manager\PTHOSTTR.EXE /Start
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [WatchDog] c:\program files\intervideo\dvd check\DVDCheck.exe
mRun: [VCDPlayer] c:\progra~1\h_h~1\virtua~1\system\VCDPlay.exe
mRun: [RM Outlook Profile Setup] c:\program files\research machines\network management\outlook profile setup\OutlookProfileSetup.exe
mRun: [RegLock] RegLock
mRun: [RMCDReset] c:\program files\research machines\cd rom player\CDROMPlayer.exe /reset
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [QuickTime Task] "c:\program files\apple\quicktime 6.5\qttask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: []
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uExplorerRun: [RM Volume Control] Safevol /t
uExplorerRun: [RM Logoff] RMLogoff
uExplorerRun: [RM UserType Indicator] UserTypeIndicator
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvdche~1.lnk - c:\program files\intervideo\dvd check\DVDCheck.exe
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
uPolicies-explorer: Btn_Tools = 1 (0x1)
uPolicies-system: HideLegacyLogonScripts = 1 (0x1)
uPolicies-system: Shell = %ProgramFiles%\Research Machines\GateKeeper\GateKeeper.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{B26C6D87-92F5-4A38-BDC4-07C8C505C3CC} : DhcpNameServer = 192.168.0.1
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: DeviceNP - DeviceNP.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - none
mASetup: {5945c046-1e7d-11d1-bc44-00c04fd912be} - None
mASetup: {EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5} - rundll32.exe advpack.dll,LaunchINFSectionEx c:\windows\inf\wmactedp.inf,PerUserStub,,4
mASetup: >{RM Desktop CleanUp} - c:\program files\research machines\network management\desktop\NoSampleMedia.vbe
mASetup: RM Workstation Installation - c:\rm\install\RMStationBuild.exe
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vcdmpdrv;vcdmpdrv;c:\windows\system32\drivers\VCDMPDRV.sys [2003-9-8 49024]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-7 540448]
R2 PMSUtilityScheduler;RMC3IEngine;c:\program files\research machines\network management\rmc3iengine\bin\utsU.exe [2010-5-11 1667122]
R2 RM LST Station Helper Service;RM LST Station Helper Service;c:\program files\research machines\network management\rm lst sag\bin\RM LST Station Helper Service.exe [2006-3-23 249856]
R2 RMClientEvtService;RM Printer Credits Client Service;c:\program files\research machines\network management\printer credits\RMClientEvtService.exe [2003-10-30 1106031]
R2 RMEventForwardingService;RM Event Forwarding Service;c:\program files\research machines\network management\event forwarding service\RMEventForwardingService.exe [2004-6-21 118784]
R2 RmPolicyMergerS.exe;RM Policy Merger Service;c:\program files\research machines\classmate\policymerger\PolicyMergerS.exe [2001-12-4 49152]
R2 RMPrinterWrapper;RM Printer Wrapper Service;c:\program files\research machines\network management\printer wrapper\RMPrinterWrapper.exe [2003-10-30 917582]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-3 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111107.003\naveng.sys [2011-11-8 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111107.003\navex15.sys [2011-11-8 1576312]
S2 AutoExNT;AutoExNT;c:\windows\system32\AUTOEXNT.EXE [1995-2-1 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-1-18 135664]
S2 PrvlUserService;RM Privileged User Service;c:\program files\research machines\network management\privileged user service\PrvlUserService.exe [2002-11-27 270336]
S2 StationTidy;StationTidy;c:\program files\research machines\network management\station tidy\Stationtidy.exe [2003-7-11 241664]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [2010-5-7 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [2007-6-8 172131]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-1-18 135664]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
.
=============== Created Last 30 ================
.
2012-01-14 09:07:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-14 09:07:14 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-14 09:07:14 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-01-13 09:05:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-13 09:05:51 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-01-13 09:05:50 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-13 09:05:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-04 13:58:26 -------- d-----w- C:\HpUpdate
2012-01-04 13:54:00 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2012-01-04 13:54:00 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2012-01-04 13:50:38 544616 ------w- c:\windows\system32\HPDiscoPMa011.dll
2012-01-04 13:50:36 488296 ----a-w- c:\windows\system32\HPWia1_DJ3050A_J611.dll
2012-01-04 13:50:36 1929576 ----a-w- c:\windows\system32\HPScanTRDrv_DJ3050A_J611.dll
2012-01-04 13:50:33 429928 ----a-w- c:\windows\system32\hpinkstsa011.dll
2012-01-04 13:50:33 270696 ----a-w- c:\windows\system32\hpinkstsa011LM.dll
2012-01-04 13:50:33 216424 ----a-w- c:\windows\system32\hpinkcoia011.dll
.
==================== Find3M ====================
.
2011-11-11 13:33:03 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
1999-06-25 11:55:30 149504 ----a-w- c:\program files\UNWISE.EXE
2003-11-07 16:05:20 26112 --sha-r- c:\windows\system32\RMSecurity.exe
.
============= FINISH: 9:26:28.50 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 5/6/2010 12:56:08 PM
System Uptime: 1/14/2012 8:49:31 AM (1 hours ago)
.
Motherboard: Hewlett-Packard | | 30D8
Processor: Intel(R) Core(TM)2 Duo CPU T5270 @ 1.40GHz | U10 | 1186/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 112 GiB total, 98.781 GiB free.
D: is CDROM ()
U: is CDROM ()
Y: is CDROM ()
Z: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\HPQ0006\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\HPQ0006\2&DABA3FF&0
Service:
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
.
2Simple Music Toolkit
32 Bit HP CIO Components Installer
Acrobat Reader
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Shockwave Player 11.6
Agere Systems HDA Modem
Apple QuickTime 2.1.2 16bit
Apple QuickTime 2.1.2 32bit
BIOS Configuration for HP ProtectTools
Broadcom 802.11 Wireless LAN Adapter
CD ROM Database
CD ROM Player
CDROM Player Repair
Clicker 5 English UK Workstation
communicate in print
Device Access Manager for HP ProtectTools
DK Codec Fix
Google Toolbar for Internet Explorer
Google Update Helper
Graphics Server
HP Deskjet 3050A J611 series Basic Device Software
HP Deskjet 3050A J611 series Help
HP Doc Viewer
HP Help and Support
HP Integrated Module with Bluetooth wireless technology
HP Notebook Accessories Product Tour
HP ProtectTools Security Manager
HP Update
HP User Guides 0084
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
InterVideo DVD Check
InterVideo Register Manager
InterVideo WinDVD
Java Auto Updater
Java Virtual Machine
Java(TM) 6 Update 24
Java(TM) SE Runtime Environment 6 Update 1
L&H TTS3000 British English
LiveUpdate 3.2 (Symantec Corporation)
Macromedia Shockwave Player 10
Malwarebytes Anti-Malware version 1.60.0.1800
Maths-Whizz R
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .Net Framework for CC3
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MSI Package to accompany WriteAccess.ini files
MSN
Noisy Things
Offline Files Cache
PDF Complete
Pippa Funnell
Primary Curriculum for Behaviour
QuickTime 6.5
RealOne Player 2.0
RM AppACLTool
RM AppAgent
RM AutoExNT
RM CD Burning Helper
RM Client Security Module
RM Commissioning Utilities
RM Default Logon Settings
RM Default Profile
RM Desktop Agent
RM Desktop Components
RM Event Forwarding Service
RM Explorer 2
RM Explorer CC3 Schemes
RM Explorer Scheme Manager
RM GateKeeper
RM IDChecker
RM InstApp Hotfix 75
RM KeepList
RM Location Chooser
RM Location Services
RM Logoff
RM Logon Provider
RM Logsrv
RM LST Common
RM LST SAG
RM LST Station Upgrade
RM Offline
RM Outlook Profile Setup
RM Policy Merger
RM Printer Credits Client Service
RM Printer Credits Framework
RM Printer Wrapper Service
RM Privileged User Policy
RM Privileged User Service
RM RegLock
RM Station Manager
RM Station Rebuild BuildManager Resources
RM Station Tidy
RM Status Reporter
RM StnDeliv
RM User Help
RM UserType Indicator
RM Virus Protect 4 (Client Config)
RM Volume Control
RM Web Launch
RM_Font Controller
RMC3IEngine
Roxio Drag-to-Disc
Sammys Science House
Security Update for Microsoft .NET Framework 2.0 (KB922770)
SoundMAX
Super Duper Pooper Scooper
SUPERAntiSpyware
Symantec AntiVirus
USB Fix
VB Logger
VCDROM Hotfix
Virtual CD 4
Wallpaper and Logon Bitmaps
WebFldrs XP
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Enterprise Deployment
Windows XP Service Pack 3
XP Security Patch KB822036
XP Security Patch KB824934
XP Security Patch KB824938
XP Security Patch KB826293
.
==== Event Viewer Messages From Past Week ========
.
1/14/2012 9:00:17 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the crd service to connect.
1/14/2012 9:00:17 AM, error: Service Control Manager [7000] - The crd service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
1/11/2012 9:33:35 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips i8042prt intelppm SAVRT SAVRTPEL SPBBCDrv SYMTDI vcdmpdrv
1/11/2012 9:32:14 AM, error: vcdmpdrv [4] - Driver detected an internal error in its data structures for .
1/11/2012 9:08:26 AM, error: Service Control Manager [7024] - The Symantec SPBBCSvc service terminated with service-specific error 4294967295 (0xFFFFFFFF).
1/11/2012 9:07:32 AM, error: Dhcp [1002] - The IP address lease 192.168.0.5 for the Network Card with network address 001A73E492B1 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
1/10/2012 3:49:26 PM, error: NETLOGON [5719] - No Domain Controller is available for domain KSSCC3 due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
.
==== End Of File ===========================

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

and save it to your Desktop.
It would be easiest to download using Internet Explorer.
If you want to use Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Double click ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Hi

Could not disable antivirus as although logged on as system admin everything was locked. Also would not let me install Microsoft Recovery Console (system is RM not Windows) so sorry the scan results will not be complete.

ComboFix 12-01-15.01 - SystemAdmin 15/01/2012 10:07:33.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2039.1207 [GMT 0:00]
Running from: c:\documents and settings\systemadmin\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Outdated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\INSTALL.LOG
c:\windows\system32\instsrv.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-12-15 to 2012-01-15 )))))))))))))))))))))))))))))))
.
.
2012-01-14 09:07 . 2012-01-14 09:08 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-01-14 09:07 . 2012-01-14 09:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-01-13 09:05 . 2012-01-13 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-01-13 09:05 . 2012-01-13 09:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-01-13 09:05 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-01-04 13:58 . 2012-01-04 13:58 -------- d-----w- C:\HpUpdate
2012-01-04 13:54 . 2001-08-17 13:53 6784 -c--a-w- c:\windows\system32\dllcache\serscan.sys
2012-01-04 13:54 . 2001-08-17 13:53 6784 ----a-w- c:\windows\system32\drivers\serscan.sys
2012-01-04 13:50 . 2011-06-08 18:06 544616 ------w- c:\windows\system32\HPDiscoPMa011.dll
2012-01-04 13:50 . 2011-06-08 21:57 488296 ----a-w- c:\windows\system32\HPWia1_DJ3050A_J611.dll
2012-01-04 13:50 . 2011-06-08 21:57 1929576 ----a-w- c:\windows\system32\HPScanTRDrv_DJ3050A_J611.dll
2012-01-04 13:50 . 2011-06-08 21:57 429928 ----a-w- c:\windows\system32\hpinkstsa011.dll
2012-01-04 13:50 . 2011-06-08 21:57 270696 ----a-w- c:\windows\system32\hpinkstsa011LM.dll
2012-01-04 13:50 . 2011-06-08 21:57 216424 ----a-w- c:\windows\system32\hpinkcoia011.dll
2012-01-04 13:49 . 2012-01-04 13:49 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2012-01-04 13:47 . 2012-01-04 13:54 -------- d-----w- c:\documents and settings\clerk\Local Settings\Application Data\HP
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-11 13:33 . 2011-05-13 18:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
1999-06-25 11:55 . 2010-05-11 11:49 149504 ----a-w- c:\program files\UNWISE.EXE
2003-11-07 16:05 26112 --sha-r- c:\windows\system32\RMSecurity.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-05-29 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegLock"="RegLock" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]
"PTHOSTTR"="c:\program files\Hewlett-Packard\HP ProtectTools Security Manager\PTHOSTTR.EXE" [2007-01-09 145184]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 137752]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2007-09-20 61440]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-05-08 331552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2007-02-02 1116920]
"WatchDog"="c:\program files\InterVideo\DVD Check\DVDCheck.exe" [2007-05-23 192512]
"VCDPlayer"="c:\progra~1\H_H~1\VIRTUA~1\System\VCDPlay.exe" [2002-09-16 94208]
"RM Outlook Profile Setup"="c:\program files\Research Machines\Network Management\Outlook Profile Setup\OutlookProfileSetup.exe" [2003-09-02 28672]
"RMCDReset"="c:\program files\Research Machines\CD ROM Player\CDROMPlayer.exe" [2004-08-10 3989504]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"QuickTime Task"="c:\program files\Apple\QuickTime 6.5\qttask.exe" [2010-05-11 98304]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-03-24 49208]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-2-6 561213]
DVD Check.lnk - c:\program files\InterVideo\DVD Check\DVDCheck.exe [2010-5-7 192512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMConfigurePrograms"= 1 (0x1)
"Btn_Tools"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\DeviceNP]
2007-06-08 08:04 49152 ----a-r- c:\windows\system32\DeviceNP.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-647300586-2699542603-2577845817-2187\Scripts\Logoff\0\0]
"Script"=RMSynchronise.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-647300586-2699542603-2577845817-2187\Scripts\Logon\0\0]
"Script"=c:\windows\SYSVOL\sysvol\ksscc3.internal\scripts\timeset.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 4:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 9:55 PM 67664]
R1 vcdmpdrv;vcdmpdrv;c:\windows\system32\drivers\VCDMPDRV.sys [9/8/2003 10:56 AM 49024]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 11:38 PM 116608]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [5/7/2010 8:32 AM 540448]
R2 PMSUtilityScheduler;RMC3IEngine;c:\program files\Research Machines\Network Management\RMC3IEngine\Bin\utsU.exe [5/11/2010 11:23 AM 1667122]
R2 RM LST Station Helper Service;RM LST Station Helper Service;c:\program files\Research Machines\Network Management\RM LST SAG\Bin\RM LST Station Helper Service.exe [3/23/2006 2:07 AM 249856]
R2 RMClientEvtService;RM Printer Credits Client Service;c:\program files\Research Machines\Network Management\Printer Credits\RMClientEvtService.exe [10/30/2003 1:19 PM 1106031]
R2 RMEventForwardingService;RM Event Forwarding Service;c:\program files\Research Machines\Network Management\Event Forwarding Service\RMEventForwardingService.exe [6/21/2004 2:06 PM 118784]
R2 RmPolicyMergerS.exe;RM Policy Merger Service;c:\program files\Research Machines\Classmate\PolicyMerger\PolicyMergerS.exe [12/4/2001 10:54 AM 49152]
R2 RMPrinterWrapper;RM Printer Wrapper Service;c:\program files\Research Machines\Network Management\Printer Wrapper\RMPrinterWrapper.exe [10/30/2003 1:24 PM 917582]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/3/2011 2:21 PM 105592]
S2 AutoExNT;AutoExNT;c:\windows\system32\AUTOEXNT.EXE [2/1/1995 11:03 AM 22528]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 11:21 AM 135664]
S2 PrvlUserService;RM Privileged User Service;c:\program files\Research Machines\Network Management\Privileged User Service\PrvlUserService.exe [11/27/2002 10:51 AM 270336]
S2 StationTidy;StationTidy;c:\program files\Research Machines\Network Management\Station Tidy\Stationtidy.exe [7/11/2003 12:49 PM 241664]
S3 DAMDrv;DAMDrv;c:\windows\system32\drivers\DAMDrv.sys [5/7/2010 7:53 AM 30008]
S3 FLCDLOCK;HP ProtectTools Device Locking / Auditing;c:\windows\system32\flcdlock.exe [6/8/2007 8:06 AM 172131]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/18/2011 11:21 AM 135664]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 7:48 PM 116664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\RM Workstation Installation]
2003-08-05 13:41 385024 ----a-w- c:\rm\Install\RMStationBuild.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
2009-03-08 03:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore1cc14672d740b0.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 11:21]
.
2012-01-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA1cc14672e7f126.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-18 11:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://login.northants.embc.uk.com
uLocal Page = c:\winnt\system32\blank.htm
uInternet Connection Wizard,ShellNext = https://kss-sr-001/manage/school/default.asp?SchoolLDAP=LDAP://OU=KSS,OU=ESTABLISHMENTS,DC=KSSCC3,DC=INTERNAL&SchoolOU=KSS&LDAP=LDAP://OU=KSS,OU=ESTABLISHMENTS,DC=KSSCC3,DC=INTERNAL&OU=KSS
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-LightScribe Control Panel - c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe
HKLM_ActiveSetup-{44BBA840-CC51-11CF-AAFA-00AA00B6015C} - none
HKLM_ActiveSetup-{5945c046-1e7d-11d1-bc44-00c04fd912be} - None
AddRemove-Broadcom 802.11b Network Adapter - c:\program files\Broadcom\Broadcom 802.11\Driver\bcmwlu00.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-15 10:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????H??????????????|?M?|?????M?|??@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(944)
c:\program files\Research Machines\Network Management\Logon Provider\rmgina.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\DeviceNP.dll
.
Completion time: 2012-01-15 10:14:13
ComboFix-quarantined-files.txt 2012-01-15 10:14
.
Pre-Run: 105,995,014,144 bytes free
Post-Run: 106,139,824,128 bytes free
.
- - End Of File - - 535F53A81EE696F4720FB73E2267FDC8

Your AV is out-of-date. Please update it before continuing.

1. Download this diagnostics tool MGADiag.ext and save this to your Desktop.
2. Double-click on MGADiag.exe and click Continue
3. When the program has finished, click on Copy
4. Post the results in your next reply.
**************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
  
• Click on the Log tab.
  
• In the Write to log box select the following items.
  
  
  
  • Process << Selected
    
  • Kernel Modules << Selected
    
  • SSDT << Selected
    
  • Kernel Hooks << Selected
    
  • IRP Hooks << NOT Selected
    
  • Ports << NOT Selected
    
  • Hidden Files << Selected
    
  
  
• At the bottom of the page
  
  
  
  • Hidden Objects Only << Selected
    
  
  
• Click on the Create Log button on the bottom right.
  
• After a few seconds a new window should appear.
  
• Select Scan Root Drive. Click on the Start button.
  
• When it is complete a new window will appear to indicate that the scan is finished.
  
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.
  

Hi

Sorry following this process is causing problems with my laptop (I think because it is on a school network and also as I explained before it runs on a system called RM which looks like but is not windows). I will just use it offline for now and hand it in to the IT tech when he returns.

Many thanks for your help anyway.

soleruler wrote:

Hi

Sorry following this process is causing problems with my laptop (I think because it is on a school network and also as I explained before it runs on a system called RM which looks like but is not windows). I will just use it offline for now and hand it in to the IT tech when he returns.

Many thanks for your help anyway.

You're welcome. I didn't think I could help much because business computer have a lot of protections built in but I gave it a shot.Good luck.