Avira Support Forum

Hi, I was hoping to get some help with, what else, the Sirefef.BV.2 trojan. I'd really appreciate any assistance. Here's the results of my complete system scan:



Avira AntiVir Personal
Report file date: Saturday, April 21, 2012 09:43

Scanning for 3668575 virus strains and unwanted programs.

Licensed to: Avira Free Antivirus
Serial number: 0000149996-ADJIE-0000001
Platform: Windows Vista
Windows version: (Service Pack 2) [6.0.6002]
Boot mode: Save mode with network
Username: admin
Computer name: D-PC

Version information:
BUILD.DAT : 8.2.0.354 17048 Bytes 10/23/2009 13:15:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/26/2008 03:13:25
AVSCAN.DLL : 8.1.4.0 40705 Bytes 7/18/2008 06:16:59
LUKE.DLL : 8.1.4.5 164097 Bytes 7/18/2008 06:16:59
LUKERES.DLL : 8.1.4.0 12033 Bytes 7/18/2008 06:16:59
ANTIVIR0.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 01:27:06
ANTIVIR1.VDF : 7.11.26.52 36536176 Bytes 3/28/2012 09:03:50
ANTIVIR2.VDF : 7.11.28.57 1804192 Bytes 4/20/2012 09:41:58
ANTIVIR3.VDF : 7.11.28.70 6656 Bytes 4/20/2012 09:41:58
Engineversion : 8.2.10.52
AEVDF.DLL : 8.1.2.2 106868 Bytes 10/29/2011 18:04:56
AESCRIPT.DLL : 8.1.4.17 446842 Bytes 4/21/2012 09:42:09
AESCN.DLL : 8.1.8.2 131444 Bytes 1/28/2012 08:56:42
AESBX.DLL : 8.2.5.5 606579 Bytes 3/13/2012 09:05:46
AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 18:04:52
AEPACK.DLL : 8.2.16.9 807287 Bytes 4/2/2012 08:58:28
AEOFFICE.DLL : 8.1.2.27 201082 Bytes 4/6/2012 08:58:25
AEHEUR.DLL : 8.1.4.19 4673910 Bytes 4/21/2012 09:42:07
AEHELP.DLL : 8.1.19.1 254327 Bytes 4/4/2012 08:58:40
AEGEN.DLL : 8.1.5.27 422261 Bytes 4/21/2012 09:42:00
AEEXP.DLL : 8.1.0.29 82293 Bytes 4/13/2012 08:59:19
AEEMU.DLL : 8.1.3.0 393589 Bytes 11/22/2010 11:57:09
AECORE.DLL : 8.1.25.6 201078 Bytes 3/16/2012 08:59:40
AEBB.DLL : 8.1.1.0 53618 Bytes 4/23/2010 23:47:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/18/2008 06:16:59
AVPREF.DLL : 8.0.2.0 38657 Bytes 7/18/2008 06:16:59
AVREP.DLL : 10.0.0.10 174120 Bytes 12/15/2011 18:06:32
AVREG.DLL : 8.0.0.1 33537 Bytes 7/18/2008 06:16:59
AVARKT.DLL : 1.0.0.23 307457 Bytes 4/15/2008 21:47:13
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 7/18/2008 06:16:59
SQLITE3.DLL : 3.3.17.1 339968 Bytes 4/15/2008 21:47:13
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 7/18/2008 06:16:59
NETNT.DLL : 8.0.0.1 7937 Bytes 4/15/2008 21:47:13
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 7/18/2008 06:16:57
RCTEXT.DLL : 8.0.52.0 86273 Bytes 7/18/2008 06:16:57

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Deviating archive types..........: +BSD Mailbox, +Netscape/Mozilla Mailbox, +Eudora Mailbox, +Squid cache, +Pegasus Mailbox, +MS Outlook Mailbox,
Macro heuristic..................: on
File heuristic...................: medium
Deviating risk categories........: +APPL,+GAME,+JOKE,+PCK,+SPR,

Start of the scan: Saturday, April 21, 2012 09:43

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '1' Module(s) have been scanned
Scan process 'unsecapp.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SASCore.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
21 processes with 21 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '23' files ).


Starting the file scan:

Begin scan in 'C:\' <OS>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\49\35217071-7bac793e
[0] Archive type: ZIP
--> ________vload.class
[DETECTION] Is the TR/Selace.E.1 Trojan
[NOTE] The file was moved to '4fc4bd20.qua'!
C:\Users\admin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\56\46306b78-3b037cf8
[0] Archive type: ZIP
--> prev/monoid.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-4452 exploit
--> starter/gromozapa.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0094.R exploit
--> starter/reverberator.class
[DETECTION] Contains recognition pattern of the EXP/CVE-2010-0094.BA exploit
[NOTE] The file was moved to '4fc5bd29.qua'!
C:\Windows\System32\acprfmgrsvc.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '5002c02f.qua'!
C:\Windows\System32\CnxtHdAudService.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '500ac041.qua'!
C:\Windows\System32\L8042mou.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4fc2c020.qua'!
C:\Windows\System32\mldserv.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4ff6c05a.qua'!
C:\Windows\System32\MREMP50.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4fd7c041.qua'!
C:\Windows\System32\prfldsvc.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4ff8c070.qua'!
C:\Windows\System32\rp32service.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4fc5c072.qua'!
C:\Windows\System32\spbbcsvc.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4ff4c076.qua'!
C:\Windows\System32\st330service.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4fc5c07c.qua'!
C:\Windows\System32\usbvideo.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4ff4c081.qua'!
C:\Windows\System32\WUSB54GCSVC.dll
[DETECTION] Is the TR/Sirefef.BV.2 Trojan
[NOTE] The file was moved to '4fe5c06e.qua'!
C:\Windows\System32\drivers\smb.sys
[DETECTION] Is the TR/Rootkit.Gen7 Trojan
[NOTE] The file was moved to '4ff4c0cd.qua'!
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6002.18005_none_61560a3ff5180c84\smb.sys
[DETECTION] Is the TR/Rootkit.Gen7 Trojan
[NOTE] The file was moved to '4ff4c58a.qua'!
Begin scan in 'D:\' <RECOVERY>


End of the scan: Saturday, April 21, 2012 10:40
Used time: 56:27 Minute(s)

The scan has been done completely.

36261 Scanning directories
346703 Files were scanned
17 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
15 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
346685 Files not concerned
2206 Archives were scanned
1 Warnings
15 Notes

Hi carnivorous danus,

Please perform the following steps in Normal Mode:

1) Please download SystemLook and save it to your desktop.

• Double-click SystemLook.exe to run it;
  
• Copy the content of the following quoted box into the main textfield (do NOT copy the word "Quoted")
  

  Quoted

  :filefind
  smb.sys
  :reg
  HKLM\SYSTEM\CurrentControlSet\Services\SMB
  HKLM\SYSTEM\CurrentControlSet\Enum\Root\SMB
  HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings /sub
  HKLM\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings /sub
  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings /sub
  HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows /sub
  HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections /sub

• Click the Look button to start the scan;
  
• When finished, a Notepad window will open with the results of the scan;
  
• Please submit the log to file-sharing service like MediaFire or similar and send me the URL via PM.

Note: The log can also be found on your desktop entitled SystemLook.txt. This procedure will ensure your privacy about the content of these keys.

2) Please run the DDS tool, following these procedures below:

• Download the DDS Tool :: Alternative link and save the file to your Desktop;
  
• Double-click on the DDS.scr icon to start the program and click on the run button to start DDS;
  
• DDS will now display a small black window providing information as to what DDS is doing on your computer;
  
  
• DDS will now start scanning your computer and compiling a variety of information about what programs are starting on your computer, what files have been recently created, and the general configuration of your computer. When DDS has finished scanning, all of this information will be compiled and be displayed in two notepad windows named dds.txt and attach.txt;
  
• Save both files to your Desktop and submit the dds.txt and attach.txt to Pastebin.com. Post the URL from dds.txt and attach.txt in your next reply.

How to submit your logs using Pastebin.com:

• Copy all text (CTRL + A | CTRL + C) and Paste (CTRL + V) in the form. Follow this procedure for both files:
  
• Please select "1 day" in the Paste Expiration and click on Submit button;
  
• Your log can be detected by spam detection filter from Pastebin.com. Just type the captcha that will appear in your screen.
  
• Wait a few seconds and a screen with your text will appear. Copy and paste the URL of your submission in your next reply.

3) Download TDSSKiller and save it to your desktop.

• Right-click on tdsskiller.exe and select "Run as Administrator" to run the application, then click on Change parameters;
  
• Check the box next to Verify Driver Digital Signature
  
• Do NOT check the box next to Detect TDLFS file system;
  
• Click OK;
  
• Click Start Scan button;
  
• Do NOT use the computer while the scan is performed;
  
• When the scan is over, the utility outputs a list of detected objects with description;
  
  - The utility automatically selects an action (Cure or Delete) for malicious objects;
  Note [1]: Ensure Cure is selected, then click Continue, rebooting to finish the cleaning process.
  Note [2]: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed;
  
  -The utility prompts the user to select an action to apply to suspicious objects (Skip, by default);
  
  
• If no reboot is required, click on Report. A log file should appear.
  
• By default, the utility outputs the log into system disk root folder (it is usually the disk with installed operating system, C:\);
  
• The logs have names like: UtilityName.Version_Date_Time_log.txt | E.g. C:\TDSSKiller.2.4.17.0_10.02.2011_11.20.55_log.txt;
  
• Please submit the log to Pastebin.com and post the URL in your next reply

----
Marco

Thanks so much! Here's the pastebin links:
http://pastebin.com/1sDvPG1q
http://pastebin.com/XnCbEm5g

Hi carnivorous danus,

Download OTL - alternative link here.
Since being acquired by TrendMicro, HijackThis has not been regularly updated. OTL includes all the scan locations of HijackThis and more. It's not only a more comprehensive scan tool, but also offers more powerful removal features. Many infections are now able to hide partly, or completely from a HijackThis scan.

• Double-click on OTL to run it. If you are running on Windows Vista/7, right-click on the file and choose Run As Administrator;
  
• Check the following options: Scan All Users, LOP Check and Purity Check;
  
• Check Use SafeList under Extra Registry section;
  
• Check All under Standard Registry section;
  
• Change File Age to 90 days under File Scans section;
  
• Copy and paste the following quoted text under . Do not include the word "Quoted";
  

  Quoted

  netsvcs
  msconfig
  safebootminimal
  safebootnetwork
  activex
  drivers32
  /md5start
  explorer.exe
  lsass.exe
  svchost.exe
  wininit.exe
  winlogon.exe
  userinit.exe
  /md5stop
  %ALLUSERSPROFILE%\Application Data\*.exe /s
  %APPDATA%\*.exe /s
  %APPDATA%\Adobe\Update\*.*
  %APPDATA%\Update\*.*
  %APPDATA%\Microsoft\*.*
  %ALLUSERSPROFILE%\Favorites\*.*
  %ALLUSERSPROFILE%\*.*
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.*
  %PROGRAMFILES%\Internet Explorer\*.*
  %USERPROFILE%\*.*
  %USERPROFILE%\Local Settings\Temp\*.exe
  %USERPROFILE%\Local Settings\Temp\*.dll
  %USERPROFILE%\Application Data\*.exe
  %systemroot%\*. /mp /s
  %systemroot%\*.exe /90
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\system32\*.dll /90
  %systemroot%\system32\drivers\*.sys /lockedfiles
  %systemroot%\system32\drivers\*.sys /90
  %systemroot%\system32\*.exe /90
  %systemroot%\system32\config\*.sav
  %systemroot%\system32\spool\prtprocs\w32x86\*.*
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\assembly\tmp\*.* /S /MD5
  %systemroot%\assembly\GAC_32\*.* /S /MD5
  %systemroot%\assembly\GAC_64\*.* /S /MD5
  CREATERESTOREPOINT
  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
  HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Make sure other windows are closed, so the scan can be performed without a break;
  
• Click on at the top left hand corner.
  
• When the scan completes, it will open two notepad windows. OTL.txt and Extras.txt;
  
• These are saved in the same location as OTL. In other words, on your Desktop;
  
• Upload the OTL.txt and Extras.txt to Pastebin.com. Post the URL from OTL.txt and Extras.txt in your next reply.

How to submit your logs using Pastebin.com:

• Copy all text (CTRL + A) and Paste (CTRL + V) in the form. Follow this procedure for both files:
  
• Please select "1 day" in the Post Expiration and click on Submit button;
  
• Your log can be detected by spam detection filter from Pastebin.com. Just type the captcha that will appear in your screen.
  
• Wait a few seconds and a screen with your text will appear. Copy and paste the URL of your submission in your next reply.

-----
Marco

Here ya go:

http://pastebin.com/Uu69NWnJ

Hi carnivorous danus,

1) Please uninstall Ad-Aware Antivirus.

2) Let's run an OTL fix:

• Please reopen on your Desktop to run the tool. If you are running on Windows Vista or Windows 7, right-click on the file and choose Run As Administrator;
  
• Please download this file (OTLfix.txt), open the file using your Notepad, copy all content and paste into the box under ;
  
• Make sure other windows are closed, so the OTL fix can be performed without a break
  
• Click on at the top;
  
• Click ;
  
• OTL may ask you to reboot your machine. Reboot if asked;
  
• The OTL fix log should appear in Notepad after the reboot. Copy and Paste that log in your next reply;
  
• Anyway a copy of an OTL fix log is saved in a text file at C:\_OTL\Moved Files.

3) Please download ComboFix (choose BleepingComputer Mirror)

Getting started:

• Please save ComboFix.exe to your desktop;
  
• If possible please print out these instructions, then it will be easier for you to not miss anything;
  
• Please CLOSE: web browsers (IE, Mozilla Firefox, Google Chrome, Opera etc.) and ANY open programs;
  
• Keep only essential processes running on your system (Windows system processes);
  
• Please DISABLE: Avira Antivirus and ANY antispyware or antimalware applications;
  
• Usually, you could disable them via a right click on the system tray icon. The reason for this, is that they may interfere with this tool. If you don't know how to disable them, please read here or here. If you have Windows Defender enabled, please read this.

Things you can NOT do while ComboFix is running:

• Do NOT click anywhere in the ComboFix window;
  
• Do NOT close ComboFix by clicking on red X in the upper left corner;
  
• Do NOT move the mouse and do NOT use the keyboard, as it can cause the tool to stall, crash and your desktop will go blank;
  
• If you really need stop or exit the ComboFix tool for some reason, press the key "N" on your keyboard.

Running ComboFix:

• Double click on Combofix.exe & follow the prompts;
  
• If you receive a UAC prompt, asking whether you want to continue running the program or not, you should press Continue button.
  
• You will get a warning about untrusted download sites for ComboFix, click Yes;
  
• As part of it's process, ComboFix will check to see whether the Microsoft Windows Recovery Console is installed or not;
  Note: Skip the Recovery Console part as you're running Windows Vista, since you could use the Windows Vista DVD / Windows Vista Recovery disc to boot into the Windows Vista Recovery Environment, if something goes awry (i.e. to restore Windows to an earlier point in time);.
  
• If you cannot run ComboFix in Normal Mode for some reason, please restart the computer in Safe Mode and try to run this tool in Safe Mode;
  Also read: How to boot Windows in Safe Mode
  
• ComboFix will disconnect your computer from the Internet, so don't be surprised or concerned, if you receive any warnings stating that you're no longer on the Internet;
  
• Please do NOT attempt to re-connect your machine back to the Internet, until ComboFix has completely finished;
  
• When ComboFix has finished it will automatically restore your Internet connection. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. Otherwise, please read this to manually restore the Internet connection;
  
• ComboFix can automatically restart the PC to complete the removal process;
  
• When finished, ComboFix will generate a log, which will be in C:\ComboFix.txt;
  
• Please submit the log to Pastebin.com and paste the URL in your next reply.

Final Notes:

• ComboFix may reset a number of Internet Explorer's settings, including making Internet Explorer as your default browser;
  
• ComboFix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security;
  
• If ComboFix alerts to a new version and offers to update, please let it;
  
• After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion". If you receive this error, please reboot and this error should disappear;
  
• Any additional questions can be found in this tutorial: http://www.bleepingcomputer.com/combofix/how-to-use-combofix.

"You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer"

4) Double-click SystemLook.exe to run it;

• Copy the content of the following quoted box into the main textfield (do NOT copy the word "Quoted")
  

  Quoted

  :filefind
  smb.sys
  ipinip.sys

• Click the Look button to start the scan;
  
• When finished, a Notepad window will open with the results of the scan;
  
• Please post the results in your next reply;

----
Marco

Here's the OTL Fix log:
Error: Unable to interpret <:OTL
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\psadd.dll -- (wg3n)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\symtdi.dll -- (wacommousefilter)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\pdlndint.dll -- (VHidMinidrv)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\AFGSp50.dll -- (VAIOMediaPlatform-VideoServer-UPnP)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\raysatxsi5_0server.dll -- (usbsermpt)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\parallel.dll -- (USB28xxBGA)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\VC4CB104.dll -- (twdns)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SrvcTPIOMngr.dll -- (tvtpktfilter)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\nwdls.dll -- (TuneUp.Defrag)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\idebusdr.dll -- (TestHandler)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\arrays> in the current context!
Error: Unable to interpret <sl_vpn_service3,0,1,9.dll -- (symids)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\spkrmon.dll -- (ssm_bus)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\se44obex.dll -- (Slntamr)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\kmixer.dll -- (slave)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\DSI_SiUSBXp_3_1.dll -- (siskp)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\SE2Cmdm.dll -- (ScanUSBEMPIA)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\aspi32.dll -- (rt73)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\mfesmfk.dll -- (retinaengine)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\tosrfbd.dll -- (razerusb)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\ma763004.dll -- (pptchpad)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\nvcap.dll -- (pcx1unic)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\rimsptsk.dll -- (pcidump)
SRV - > in the current context!
Error: Unable to interpret <File not found [Auto | Stopped] -- %systemroot%\system32\symids.dll -- (OVT511Plus)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\avidsdmservice.dll -- (nscirda)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\db2governor.dll -- (netwg311)
SRV - File not found [Auto | Stopped] -- C:\Windows\system32\usbnaw32.dll -- (NEC Usb3)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\vetmsgnt.dll -- (mfetdik)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\roxupnprenderer.dll -- (lpx)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\nvidesm.dll -- (licensemanagersocket)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\napagent.dll -- (iolo_srv)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\USBModem.dll -- (hsfhwbs2)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\NWDNS.dll -- (FreshIO)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\s116unic.dll -- (flashpnt)
SRV - File not found [Auto > in the current context!
Error: Unable to interpret <| Stopped] -- %systemroot%\system32\ialm.dll -- (Fd16_700)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\tunmp.dll -- (fa_scheduler)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cbidf.dll -- (elockservice)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\prevxdriver.dll -- (Cam5607)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\usbuhci.dll -- (application)
SRV - File not found [Auto | Stopped] -- %systemroot%\system32\cfosspeeds.dll -- (ac97intc)
IE - HKU\S-1-5-21-1211825294-410278775-2010435404-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local;<local>
O4 - HKLM..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup File not found
O33 - MountPoints2\{b34c968e-cec7-11de-9dc8-00188bc80509}\Shell - "" = AutoRun
O33 - MountPoints2\{b34c968e-cec7-11de-9dc8-00188bc80509}\Shell\AutoRun\command - "" = G:\Launcher.exe
NetSvcs: mfetdik - %systemroot%\system32\vetmsgnt.dll File not found
NetSvcs: wg3n - %systemr> in the current context!
Error: Unable to interpret <oot%\system32\psadd.dll File not found
NetSvcs: rt73 - %systemroot%\system32\aspi32.dll File not found
NetSvcs: fa_scheduler - %systemroot%\system32\tunmp.dll File not found
NetSvcs: USB28xxBGA - %systemroot%\system32\parallel.dll File not found
NetSvcs: Fd16_700 - %systemroot%\system32\ialm.dll File not found
NetSvcs: nscirda - %systemroot%\system32\avidsdmservice.dll File not found
NetSvcs: pcidump - %systemroot%\system32\rimsptsk.dll File not found
NetSvcs: merakcontrol - File not found
NetSvcs: a016obex - File not found
NetSvcs: KR10N - File not found
NetSvcs: nvport - File not found
NetSvcs: vcdsecs - File not found
NetSvcs: SNP2UVC - File not found
NetSvcs: lxcz_device - File not found
NetSvcs: kraidsvc - File not found
NetSvcs: akshasp - File not found
NetSvcs: U81xmgmt - File not found
NetSvcs: wap3gx - File not found
NetSvcs: iolo_srv - %systemroot%\system32\napagent.dll File not found
NetSvcs: lpx - %systemroot%\system32\roxupnprenderer.dll File not found
NetSvcs: siskp - %systemroot%\sys> in the current context!
Error: Unable to interpret <tem32\DSI_SiUSBXp_3_1.dll File not found
NetSvcs: ssm_bus - %systemroot%\system32\spkrmon.dll File not found
NetSvcs: FreshIO - %systemroot%\system32\NWDNS.dll File not found
NetSvcs: Slntamr - %systemroot%\system32\se44obex.dll File not found
NetSvcs: twdns - %systemroot%\system32\VC4CB104.dll File not found
NetSvcs: flashpnt - %systemroot%\system32\s116unic.dll File not found
NetSvcs: hsfhwbs2 - %systemroot%\system32\USBModem.dll File not found
NetSvcs: ScanUSBEMPIA - %systemroot%\system32\SE2Cmdm.dll File not found
NetSvcs: TestHandler - %systemroot%\system32\idebusdr.dll File not found
NetSvcs: NMSAccessU - File not found
NetSvcs: dnwhodisp - File not found
NetSvcs: symids - %systemroot%\system32\arrayssl_vpn_service3,0,1,9.dll File not found
NetSvcs: amdppm - File not found
NetSvcs: dnserver32 - File not found
NetSvcs: mcafeeantispyware - File not found
NetSvcs: livesrv - File not found
NetSvcs: ELmon - File not found
NetSvcs: MxlW2k - File not found
NetSvcs: epson_pm_rpcv2_01 - File not found
N> in the current context!
Error: Unable to interpret <etSvcs: 3compxe - File not found
NetSvcs: tvtpktfilter - %systemroot%\system32\SrvcTPIOMngr.dll File not found
NetSvcs: AtcL002 - File not found
NetSvcs: prismxl - File not found
NetSvcs: portio - File not found
NetSvcs: ATIBTCAP - File not found
NetSvcs: vsdatant - File not found
NetSvcs: vusbbus - File not found
NetSvcs: guardian2 - File not found
NetSvcs: mpfservice - File not found
NetSvcs: axsnmsvc - File not found
NetSvcs: pdlncfwk - File not found
NetSvcs: ip6fw - File not found
NetSvcs: edspport - File not found
NetSvcs: RTHDMIAzAudService - File not found
NetSvcs: lxdmCATSCustConnectService - File not found
NetSvcs: STV680m - File not found
NetSvcs: ATIVTUTW - File not found
NetSvcs: arp1394 - File not found
NetSvcs: soma - File not found
NetSvcs: VC4CB104 - File not found
NetSvcs: clnt_clientman - File not found
NetSvcs: iaimtv0 - File not found
NetSvcs: axskbus - File not found
NetSvcs: SaiMini - File not found
NetSvcs: centennialiptransferagent - File not found
NetSvcs: ti> in the current context!
Error: Unable to interpret <fsfilter - File not found
NetSvcs: asmagent - File not found
NetSvcs: id2scaps - File not found
NetSvcs: rpcsvr4x - File not found
NetSvcs: btwhid - File not found
NetSvcs: TryAndDecideService - File not found
NetSvcs: CAMCAUD - File not found
NetSvcs: rfcomm - File not found
NetSvcs: Bcim - File not found
NetSvcs: PTDCBus - File not found
NetSvcs: splitter - File not found
NetSvcs: brmfrmps - File not found
NetSvcs: pnarp - File not found
NetSvcs: EACSys - File not found
NetSvcs: icam4usb - File not found
NetSvcs: DCamUSBMke2 - File not found
NetSvcs: USB11LDR - File not found
NetSvcs: FirePM - File not found
NetSvcs: gdihook5 - File not found
NetSvcs: slimsvc - File not found
NetSvcs: CVirtA - File not found
NetSvcs: spupdsvc - File not found
NetSvcs: mwstick - File not found
NetSvcs: kl1 - File not found
NetSvcs: JRAID - File not found
NetSvcs: WimFltr - File not found
NetSvcs: s3savagenb - File not found
NetSvcs: ndasbus - File not found
NetSvcs: eskerlicensecontrol - File not > in the current context!
Error: Unable to interpret <found
NetSvcs: lxrjd31d - File not found
NetSvcs: cwafeventrouter - File not found
NetSvcs: VAIOMediaPlatform-PhotoServer-HTTP - File not found
NetSvcs: se58mgmt - File not found
NetSvcs: AIRPLUS - File not found
NetSvcs: USBVCD - File not found
NetSvcs: cypresslink - File not found
NetSvcs: rupsmon - File not found
NetSvcs: backupexecnotificationserver - File not found
NetSvcs: p17 - File not found
NetSvcs: DFUBTUSB - File not found
NetSvcs: NETw4v32 - File not found
NetSvcs: snpstd2 - File not found
NetSvcs: usnjsvc - File not found
NetSvcs: iwebmsg - File not found
NetSvcs: sqlagent$sony_mediamgr - File not found
NetSvcs: kbfiltr - File not found
NetSvcs: ScFBPNT2 - File not found
NetSvcs: UDFReadr - File not found
NetSvcs: yats32 - File not found
NetSvcs: SRTSPL - File not found
NetSvcs: CrystalSysInfo - File not found
NetSvcs: tme3srv - File not found
NetSvcs: cmuda - File not found
NetSvcs: CDRPDACC - File not found
NetSvcs: iPassPeriodicUpdateService - File not found
NetSvcs: > in the current context!
Error: Unable to interpret <pdlnatcm - File not found
NetSvcs: AVerTV - File not found
NetSvcs: lirsgt - File not found
NetSvcs: ypcservice - File not found
NetSvcs: emproxy - File not found
NetSvcs: SNMP - File not found
NetSvcs: Wbutton - File not found
NetSvcs: hSONYPVh - File not found
NetSvcs: ASNDIS5 - File not found
NetSvcs: pid_0928 - File not found
NetSvcs: iPassP - File not found
NetSvcs: RR2IOMod - File not found
NetSvcs: GcKernel - File not found
NetSvcs: GTF32BUS - File not found
NetSvcs: icraplus - File not found
NetSvcs: prevxdriver - File not found
NetSvcs: cwafadmincontroller - File not found
NetSvcs: CXTUNE - File not found
NetSvcs: KLOGNT - File not found
NetSvcs: s117bus - File not found
NetSvcs: MREMP50 - File not found
NetSvcs: USRpdA - File not found
NetSvcs: StillCam - File not found
NetSvcs: p3 - File not found
NetSvcs: eliservice - File not found
NetSvcs: pdiddcci - File not found
NetSvcs: mgabg - File not found
NetSvcs: vsbus - File not found
NetSvcs: VNUSB - File not found
NetSvcs> in the current context!
Error: Unable to interpret <: nsm1mdfl - File not found
NetSvcs: application - %systemroot%\system32\usbuhci.dll File not found
NetSvcs: wkscfgsrv - File not found
NetSvcs: se45nd5 - File not found
NetSvcs: pcctlcom - File not found
NetSvcs: usbsermpt - %systemroot%\system32\raysatxsi5_0server.dll File not found
NetSvcs: Cam5607 - %systemroot%\system32\prevxdriver.dll File not found
NetSvcs: TuneUp.Defrag - %systemroot%\system32\nwdls.dll File not found
NetSvcs: licensemanagersocket - %systemroot%\system32\nvidesm.dll File not found
NetSvcs: retinaengine - %systemroot%\system32\mfesmfk.dll File not found
NetSvcs: pcx1unic - %systemroot%\system32\nvcap.dll File not found
NetSvcs: VHidMinidrv - %systemroot%\system32\pdlndint.dll File not found
NetSvcs: ac97intc - %systemroot%\system32\cfosspeeds.dll File not found
NetSvcs: slave - %systemroot%\system32\kmixer.dll File not found
NetSvcs: OVT511Plus - %systemroot%\system32\symids.dll File not found
NetSvcs: {e2b953a6-195a-44f9-9ba3-3d5f4e32bb55} - File not found
NetSvcs: atitunep - Fi> in the current context!
Error: Unable to interpret <le not found
NetSvcs: ipssvc - File not found
NetSvcs: sddmi2 - File not found
NetSvcs: wandrv - File not found
NetSvcs: MobilePreInstallerService - File not found
NetSvcs: s3twistr - File not found
NetSvcs: BrScnUsb - File not found
NetSvcs: SprintRcAppSvc - File not found
NetSvcs: i81x - File not found
NetSvcs: PSI_SVC_2 - File not found
NetSvcs: pptchpad - %systemroot%\system32\ma763004.dll File not found
NetSvcs: k750mdfl - File not found
NetSvcs: netwg311 - %systemroot%\system32\db2governor.dll File not found
NetSvcs: VAIOMediaPlatform-VideoServer-UPnP - %systemroot%\system32\AFGSp50.dll File not found
NetSvcs: razerusb - %systemroot%\system32\tosrfbd.dll File not found
NetSvcs: elockservice - %systemroot%\system32\cbidf.dll File not found
NetSvcs: wacommousefilter - %systemroot%\system32\symtdi.dll File not found
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
Ms> in the current context!
Error: Unable to interpret <Config - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk - C:\Windows\Installer\{53A01CC6-14B0-4512-A2E7-10D39BF83DC4}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe - (InstallShield Software Corp.)
MsConfig - StartUpReg: {C4B38867-5E69-8091-AF38-74F24C7FF641} - hkey= - key= - File not found
MsConfig - StartUpReg: SigmatelSysTrayApp - hkey= - key= - File not found
MsConfig - StartUpReg: SunJavaUpdateSched - hkey= - key= - File not found
MsConfig - StartUpReg: PrinTray - hkey= - key= - File not found
MsConfig - StartUpFolder: C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk - - File not found
@Alternate Data Stream - 134 bytes -> C:\ProgramData\TEMP:88050731
@Alternate Data Stream - 121 bytes -> C:\ProgramData\TEMP:59756FA4
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMPFC5A2B2
@Alternate Data Stream - 109 bytes -> C:\ProgramData\TEMP:A8ADE5D8
:Reg
:Files
:Commands
[emptyflash]
[emp> in the current context!
Error: Unable to interpret <tytemp]
[emptyjava]> in the current context!

OTL by OldTimer - Version 3.2.40.0 log created on 04222012_232214

Combofix ran a scan for a considerably longer time than predicted, then a window popped up saying "Freeware implementation of XCACLS has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is available."

I'm typing this from a separate device (afraid to do anything to mess with Combofix) any suggestions?

Hi carnivorous danus,

You did some mistake when running OTL fix, probably you did type something before :OTL (<) or leave some space.
Please perform that procedure again with only the content written in OTLfix.txt.

Did you uninstall Ad-Aware Antivirus? Also, make sure your Avira protection is disabled
If so, please download ComboFix.exe again and rename it to marco.exe and try to run the tool again.

If you still cannot run ComboFix, please try to run in Safe Mode.

Marco

Ok, think I got it this time, sorry about that:

All processes killed
========== OTL ==========
Service wg3n stopped successfully!
Service wg3n deleted successfully!
File %systemroot%\system32\psadd.dll not found.
Service wacommousefilter stopped successfully!
Service wacommousefilter deleted successfully!
File %systemroot%\system32\symtdi.dll not found.
Service VHidMinidrv stopped successfully!
Service VHidMinidrv deleted successfully!
File %systemroot%\system32\pdlndint.dll not found.
Service VAIOMediaPlatform-VideoServer-UPnP stopped successfully!
Service VAIOMediaPlatform-VideoServer-UPnP deleted successfully!
File %systemroot%\system32\AFGSp50.dll not found.
Service usbsermpt stopped successfully!
Service usbsermpt deleted successfully!
File %systemroot%\system32\raysatxsi5_0server.dll not found.
Service USB28xxBGA stopped successfully!
Service USB28xxBGA deleted successfully!
File %systemroot%\system32\parallel.dll not found.
Service twdns stopped successfully!
Service twdns deleted successfully!
File %systemroot%\system32\VC4CB104.dll not found.
Service tvtpktfilter stopped successfully!
Service tvtpktfilter deleted successfully!
File %systemroot%\system32\SrvcTPIOMngr.dll not found.
Service TuneUp.Defrag stopped successfully!
Service TuneUp.Defrag deleted successfully!
File %systemroot%\system32\nwdls.dll not found.
Service TestHandler stopped successfully!
Service TestHandler deleted successfully!
File %systemroot%\system32\idebusdr.dll not found.
Service symids stopped successfully!
Service symids deleted successfully!
File %systemroot%\system32\arrayssl_vpn_service3,0,1,9.dll not found.
Service ssm_bus stopped successfully!
Service ssm_bus deleted successfully!
File %systemroot%\system32\spkrmon.dll not found.
Service Slntamr stopped successfully!
Service Slntamr deleted successfully!
File %systemroot%\system32\se44obex.dll not found.
Service slave stopped successfully!
Service slave deleted successfully!
File %systemroot%\system32\kmixer.dll not found.
Service siskp stopped successfully!
Service siskp deleted successfully!
File %systemroot%\system32\DSI_SiUSBXp_3_1.dll not found.
Service ScanUSBEMPIA stopped successfully!
Service ScanUSBEMPIA deleted successfully!
File %systemroot%\system32\SE2Cmdm.dll not found.
Service rt73 stopped successfully!
Service rt73 deleted successfully!
File %systemroot%\system32\aspi32.dll not found.
Service retinaengine stopped successfully!
Service retinaengine deleted successfully!
File %systemroot%\system32\mfesmfk.dll not found.
Service razerusb stopped successfully!
Service razerusb deleted successfully!
File %systemroot%\system32\tosrfbd.dll not found.
Service pptchpad stopped successfully!
Service pptchpad deleted successfully!
File %systemroot%\system32\ma763004.dll not found.
Service pcx1unic stopped successfully!
Service pcx1unic deleted successfully!
File %systemroot%\system32\nvcap.dll not found.
Service pcidump stopped successfully!
Service pcidump deleted successfully!
File %systemroot%\system32\rimsptsk.dll not found.
Service OVT511Plus stopped successfully!
Service OVT511Plus deleted successfully!
File %systemroot%\system32\symids.dll not found.
Service nscirda stopped successfully!
Service nscirda deleted successfully!
File %systemroot%\system32\avidsdmservice.dll not found.
Service netwg311 stopped successfully!
Service netwg311 deleted successfully!
File %systemroot%\system32\db2governor.dll not found.
Service NEC Usb3 stopped successfully!
Service NEC Usb3 deleted successfully!
File C:\Windows\system32\usbnaw32.dll not found.
Service mfetdik stopped successfully!
Service mfetdik deleted successfully!
File %systemroot%\system32\vetmsgnt.dll not found.
Service lpx stopped successfully!
Service lpx deleted successfully!
File %systemroot%\system32\roxupnprenderer.dll not found.
Service licensemanagersocket stopped successfully!
Service licensemanagersocket deleted successfully!
File %systemroot%\system32\nvidesm.dll not found.
Service iolo_srv stopped successfully!
Service iolo_srv deleted successfully!
File %systemroot%\system32\napagent.dll not found.
Service hsfhwbs2 stopped successfully!
Service hsfhwbs2 deleted successfully!
File %systemroot%\system32\USBModem.dll not found.
Service FreshIO stopped successfully!
Service FreshIO deleted successfully!
File %systemroot%\system32\NWDNS.dll not found.
Service flashpnt stopped successfully!
Service flashpnt deleted successfully!
File %systemroot%\system32\s116unic.dll not found.
Service Fd16_700 stopped successfully!
Service Fd16_700 deleted successfully!
File %systemroot%\system32\ialm.dll not found.
Service fa_scheduler stopped successfully!
Service fa_scheduler deleted successfully!
File %systemroot%\system32\tunmp.dll not found.
Service elockservice stopped successfully!
Service elockservice deleted successfully!
File %systemroot%\system32\cbidf.dll not found.
Service Cam5607 stopped successfully!
Service Cam5607 deleted successfully!
File %systemroot%\system32\prevxdriver.dll not found.
Service application stopped successfully!
Service application deleted successfully!
File %systemroot%\system32\usbuhci.dll not found.
Service ac97intc stopped successfully!
Service ac97intc deleted successfully!
File %systemroot%\system32\cfosspeeds.dll not found.
HKU\S-1-5-21-1211825294-410278775-2010435404-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyOverride| /E : value set successfully!
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\SNM deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b34c968e-cec7-11de-9dc8-00188bc80509}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b34c968e-cec7-11de-9dc8-00188bc80509}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b34c968e-cec7-11de-9dc8-00188bc80509}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b34c968e-cec7-11de-9dc8-00188bc80509}\ not found.
File G:\Launcher.exe not found.
mfetdik removed from NetSvcs value successfully!
wg3n removed from NetSvcs value successfully!
rt73 removed from NetSvcs value successfully!
fa_scheduler removed from NetSvcs value successfully!
USB28xxBGA removed from NetSvcs value successfully!
Fd16_700 removed from NetSvcs value successfully!
nscirda removed from NetSvcs value successfully!
pcidump removed from NetSvcs value successfully!
merakcontrol removed from NetSvcs value successfully!
a016obex removed from NetSvcs value successfully!
KR10N removed from NetSvcs value successfully!
nvport removed from NetSvcs value successfully!
vcdsecs removed from NetSvcs value successfully!
SNP2UVC removed from NetSvcs value successfully!
lxcz_device removed from NetSvcs value successfully!
kraidsvc removed from NetSvcs value successfully!
akshasp removed from NetSvcs value successfully!
U81xmgmt removed from NetSvcs value successfully!
wap3gx removed from NetSvcs value successfully!
iolo_srv removed from NetSvcs value successfully!
lpx removed from NetSvcs value successfully!
siskp removed from NetSvcs value successfully!
ssm_bus removed from NetSvcs value successfully!
FreshIO removed from NetSvcs value successfully!
Slntamr removed from NetSvcs value successfully!
twdns removed from NetSvcs value successfully!
flashpnt removed from NetSvcs value successfully!
hsfhwbs2 removed from NetSvcs value successfully!
ScanUSBEMPIA removed from NetSvcs value successfully!
TestHandler removed from NetSvcs value successfully!
NMSAccessU removed from NetSvcs value successfully!
dnwhodisp removed from NetSvcs value successfully!
symids removed from NetSvcs value successfully!
amdppm removed from NetSvcs value successfully!
dnserver32 removed from NetSvcs value successfully!
mcafeeantispyware removed from NetSvcs value successfully!
livesrv removed from NetSvcs value successfully!
ELmon removed from NetSvcs value successfully!
MxlW2k removed from NetSvcs value successfully!
epson_pm_rpcv2_01 removed from NetSvcs value successfully!
3compxe removed from NetSvcs value successfully!
tvtpktfilter removed from NetSvcs value successfully!
AtcL002 removed from NetSvcs value successfully!
prismxl removed from NetSvcs value successfully!
portio removed from NetSvcs value successfully!
ATIBTCAP removed from NetSvcs value successfully!
vsdatant removed from NetSvcs value successfully!
vusbbus removed from NetSvcs value successfully!
guardian2 removed from NetSvcs value successfully!
mpfservice removed from NetSvcs value successfully!
axsnmsvc removed from NetSvcs value successfully!
pdlncfwk removed from NetSvcs value successfully!
ip6fw removed from NetSvcs value successfully!
edspport removed from NetSvcs value successfully!
RTHDMIAzAudService removed from NetSvcs value successfully!
lxdmCATSCustConnectService removed from NetSvcs value successfully!
STV680m removed from NetSvcs value successfully!
ATIVTUTW removed from NetSvcs value successfully!
arp1394 removed from NetSvcs value successfully!
soma removed from NetSvcs value successfully!
VC4CB104 removed from NetSvcs value successfully!
clnt_clientman removed from NetSvcs value successfully!
iaimtv0 removed from NetSvcs value successfully!
axskbus removed from NetSvcs value successfully!
SaiMini removed from NetSvcs value successfully!
centennialiptransferagent removed from NetSvcs value successfully!
tifsfilter removed from NetSvcs value successfully!
asmagent removed from NetSvcs value successfully!
id2scaps removed from NetSvcs value successfully!
rpcsvr4x removed from NetSvcs value successfully!
btwhid removed from NetSvcs value successfully!
TryAndDecideService removed from NetSvcs value successfully!
CAMCAUD removed from NetSvcs value successfully!
rfcomm removed from NetSvcs value successfully!

Bcim removed from NetSvcs value successfully!
PTDCBus removed from NetSvcs value successfully!
splitter removed from NetSvcs value successfully!
brmfrmps removed from NetSvcs value successfully!
pnarp removed from NetSvcs value successfully!
EACSys removed from NetSvcs value successfully!
icam4usb removed from NetSvcs value successfully!
DCamUSBMke2 removed from NetSvcs value successfully!
USB11LDR removed from NetSvcs value successfully!
FirePM removed from NetSvcs value successfully!
gdihook5 removed from NetSvcs value successfully!
slimsvc removed from NetSvcs value successfully!
CVirtA removed from NetSvcs value successfully!
spupdsvc removed from NetSvcs value successfully!
mwstick removed from NetSvcs value successfully!
kl1 removed from NetSvcs value successfully!
JRAID removed from NetSvcs value successfully!
WimFltr removed from NetSvcs value successfully!
s3savagenb removed from NetSvcs value successfully!
ndasbus removed from NetSvcs value successfully!
eskerlicensecontrol removed from NetSvcs value successfully!
lxrjd31d removed from NetSvcs value successfully!
cwafeventrouter removed from NetSvcs value successfully!
VAIOMediaPlatform-PhotoServer-HTTP removed from NetSvcs value successfully!
se58mgmt removed from NetSvcs value successfully!
AIRPLUS removed from NetSvcs value successfully!
USBVCD removed from NetSvcs value successfully!
cypresslink removed from NetSvcs value successfully!
rupsmon removed from NetSvcs value successfully!
backupexecnotificationserver removed from NetSvcs value successfully!
p17 removed from NetSvcs value successfully!
DFUBTUSB removed from NetSvcs value successfully!
NETw4v32 removed from NetSvcs value successfully!
snpstd2 removed from NetSvcs value successfully!
usnjsvc removed from NetSvcs value successfully!
iwebmsg removed from NetSvcs value successfully!
sqlagent$sony_mediamgr removed from NetSvcs value successfully!
kbfiltr removed from NetSvcs value successfully!
ScFBPNT2 removed from NetSvcs value successfully!
UDFReadr removed from NetSvcs value successfully!
yats32 removed from NetSvcs value successfully!
SRTSPL removed from NetSvcs value successfully!
CrystalSysInfo removed from NetSvcs value successfully!
tme3srv removed from NetSvcs value successfully!
cmuda removed from NetSvcs value successfully!
CDRPDACC removed from NetSvcs value successfully!
iPassPeriodicUpdateService removed from NetSvcs value successfully!
pdlnatcm removed from NetSvcs value successfully!
AVerTV removed from NetSvcs value successfully!
lirsgt removed from NetSvcs value successfully!
ypcservice removed from NetSvcs value successfully!
emproxy removed from NetSvcs value successfully!
SNMP removed from NetSvcs value successfully!
Wbutton removed from NetSvcs value successfully!
hSONYPVh removed from NetSvcs value successfully!
ASNDIS5 removed from NetSvcs value successfully!
pid_0928 removed from NetSvcs value successfully!
iPassP removed from NetSvcs value successfully!
RR2IOMod removed from NetSvcs value successfully!
GcKernel removed from NetSvcs value successfully!
GTF32BUS removed from NetSvcs value successfully!
icraplus removed from NetSvcs value successfully!
prevxdriver removed from NetSvcs value successfully!
cwafadmincontroller removed from NetSvcs value successfully!
CXTUNE removed from NetSvcs value successfully!
KLOGNT removed from NetSvcs value successfully!
s117bus removed from NetSvcs value successfully!
MREMP50 removed from NetSvcs value successfully!
USRpdA removed from NetSvcs value successfully!
StillCam removed from NetSvcs value successfully!
p3 removed from NetSvcs value successfully!
eliservice removed from NetSvcs value successfully!
pdiddcci removed from NetSvcs value successfully!
mgabg removed from NetSvcs value successfully!
vsbus removed from NetSvcs value successfully!
VNUSB removed from NetSvcs value successfully!
nsm1mdfl removed from NetSvcs value successfully!
application removed from NetSvcs value successfully!
wkscfgsrv removed from NetSvcs value successfully!
se45nd5 removed from NetSvcs value successfully!
pcctlcom removed from NetSvcs value successfully!
usbsermpt removed from NetSvcs value successfully!
Cam5607 removed from NetSvcs value successfully!
TuneUp.Defrag removed from NetSvcs value successfully!
licensemanagersocket removed from NetSvcs value successfully!
retinaengine removed from NetSvcs value successfully!
pcx1unic removed from NetSvcs value successfully!
VHidMinidrv removed from NetSvcs value successfully!
ac97intc removed from NetSvcs value successfully!
slave removed from NetSvcs value successfully!
OVT511Plus removed from NetSvcs value successfully!
{e2b953a6-195a-44f9-9ba3-3d5f4e32bb55} removed from NetSvcs value successfully!
atitunep removed from NetSvcs value successfully!
ipssvc removed from NetSvcs value successfully!
sddmi2 removed from NetSvcs value successfully!
wandrv removed from NetSvcs value successfully!
MobilePreInstallerService removed from NetSvcs value successfully!
s3twistr removed from NetSvcs value successfully!
BrScnUsb removed from NetSvcs value successfully!
SprintRcAppSvc removed from NetSvcs value successfully!
i81x removed from NetSvcs value successfully!
PSI_SVC_2 removed from NetSvcs value successfully!
pptchpad removed from NetSvcs value successfully!
k750mdfl removed from NetSvcs value successfully!
netwg311 removed from NetSvcs value successfully!
VAIOMediaPlatform-VideoServer-UPnP removed from NetSvcs value successfully!
razerusb removed from NetSvcs value successfully!
elockservice removed from NetSvcs value successfully!
wacommousefilter removed from NetSvcs value successfully!
WmdmPmSp removed from NetSvcs value successfully!
LogonHours removed from NetSvcs value successfully!
PCAudit removed from NetSvcs value successfully!
helpsvc removed from NetSvcs value successfully!
uploadmgr removed from NetSvcs value successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickSet.lnk\ deleted successfully.
C:\Windows\pss\QuickSet.lnk.CommonStartup moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\{C4B38867-5E69-8091-AF38-74F24C7FF641}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C4B38867-5E69-8091-AF38-74F24C7FF641}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\SigmatelSysTrayApp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\SunJavaUpdateSched\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpReg\PrinTray\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\StartUpFolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Audible Download Manager.lnk\ deleted successfully.
C:\Windows\pss\Audible Download Manager.lnk.CommonStartup moved successfully.
ADS C:\ProgramData\TEMP:88050731 deleted successfully.
ADS C:\ProgramData\TEMP:59756FA4 deleted successfully.
ADS C:\ProgramData\TEMPFC5A2B2 deleted successfully.
ADS C:\ProgramData\TEMP:A8ADE5D8 deleted successfully.
========== REGISTRY ==========
========== FILES ==========
========== COMMANDS ==========

[EMPTYFLASH]

User: admin
->Flash cache emptied: 1271 bytes

User: All Users

User: Default
->Flash cache emptied: 56502 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


[EMPTYTEMP]

User: admin
->Temp folder emptied: 48323694 bytes
->Temporary Internet Files folder emptied: 328846 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 71058338 bytes
->Google Chrome cache emptied: 8723605 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2126030 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 125.00 mb


[EMPTYJAVA]

User: admin
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: Public

Total Java Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.40.0 log created on 04232012_091816

Files\Folders moved on Reboot...
File move failed. C:\Windows\temp\Amazon Digital Video\Servicelog.adv scheduled to be moved on reboot.

Registry entries deleted on Reboot...

Ok, not entirely sure what the problem was with Combofix; ad-aware was definitely uninstalled, avira was disabled, ran it in safe mode which seemed to work, but it asked me to reboot and when I did there was no log to be found so I reran it in normal mode at which point it worked. Here's the log:
http://pastebin.com/upM3wySp

And here's the SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 19:01 on 23/04/2012 by admin
Administrator - Elevation successful

========== filefind ==========

Searching for "smb.sys"
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6000.16386_none_5d33cf37fb0b3064\smb.sys --a---- 66048 bytes [08:57 02/11/2006] [08:57 02/11/2006] AC0D90738ADB51A6FD12FF00874A2162
C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys --a---- 66560 bytes [00:33 16/09/2008] [05:55 19/01/2008] 031E6BCD53C9B2B9ACE111EAFEC347B6

Searching for "ipinip.sys"
No files found.

-= EOF =-

Hi carnivorous danus,

It's missing the first log created by ComboFix, so I dunno what was removed in Safe Mode, but you don't have a copy of clean ipinip.sys file in your system.
I'll provide a procedure to restore the smb.sys file, but to replace the ipinip.sys, do you know someone, or a friend using a clean Windows Vista SP2? If so, you could ask to send this file to you. Then, I'll help you to restore this file.

1) Let´s run a CFScript.

• Open Notepad by clicking the Start button. In the search box, type Notepad, and then, in the list of results, click Notepad;
  
• Then, please copy and paste the following content quoted below into Notepad window. Do NOT include the word "Quoted";
  
  

  Quoted

  KillAll::
  FCopy::
  C:\Windows\winsxs\x86_microsoft-windows-nbsmb_31bf3856ad364e35_6.0.6001.18000_none_5f6a9133f7f64138\smb.sys | C:\Windows\system32\drivers\smb.sys
  Folder::
  c:\programdata\Ad-Aware Browsing Protection
  c:\users\admin\AppData\Roaming\Ad-Aware Antivirus
  RegLock::
  [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
  RegLockDel::
  [HKEY_USERS\S-1-5-21-1211825294-410278775-2010435404-1000\¬ î**]
  [HKEY_USERS\S-1-5-21-1211825294-410278775-2010435404-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C53E0659-9AE2-70C3-B5B1-6F6DCDDBECD5}*]
  
  

• Save the document as CFScript.txt (do NOT change the filename) in your desktop;
  
• Disable your Avira Antivirus (Guard module / Realtime Protection) or ANY other security programs, antispyware or antimalware applications that are running in real time;
  
• Then, drag the CFScript.txt file into ComboFix.exe, as you see below;
  
  
  
  
• This action will start the ComboFix again;
  
• Do NOT click anywhere in the ComboFix window;
  
• Do NOT close ComboFix by clicking on red X in the upper left corner;
  
• Do NOT move the mouse and do NOT use the keyboard, as it can cause the tool to stall, crash and your desktop will go blank;
  
• After reboot, (in case it ask to reboot), please submit the Combofix.txt to Pastebin.com as usual;
  
• Please post the Pastebin URL related to ComboFix.txt in your next reply.

2) Then, please download these following files: Smb.reg and LEGACY_SMB.reg. After that, right-click on each ".reg" file and click on Merge. Reboot and perform the following step below:

3) Please download Farbar Service Scanner (to any folder or your desktop) and run it on the computer with the issue.

• Make sure the following options are checked:
  
  
  • Internet Services
    
  • Windows Firewall
    
  • System Restore
  
  
• Press "Scan";
  
• It will create a log (FSS.txt) in the same folder the tool is placed;
  
• Please submit the log to Pastebin.com and post the URL in your next reply

----
Marco

Here's the Combolog:
http://pastebin.com/xVATjTmZ

I merged Smb.reg but when I tried to merge LEGACY_SMB.reg a message came up reading: "Cannot import C:\users\admin\downloads\desktop\LEGACY_SMB.reg: Not all the data was successfully written to the registry. Some keys are open by the system or other processes." I tried shutting down any open nonessential processes, but it still didn't work.

Hi carnivorous danus,

Click Start > Type regedit into the Search box and press Enter;
Registry editor will open, then please navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...;
Under Security type, highlight Everyone and put a check mark in the box under Allow, next to Full Control;
Click Apply and OK.

Then, please try to merge the file LEGACY_SMB.reg into your Registry and tell me the results.
Also, did you get the file ipinip.sys from someone using a clean Windows Vista SP2?

Marco

When I try to apply full control to everyone I get a message reading "Unable to save permissions on Root Access is denied." I've noticed a lot of programs since running Combofix don't function normally unless I first run as administrator.

I'm working on getting a copy of ipinip.sys. Should come in the next day or so.

Tried it again running regedit.exe as administrator, same message.

Hi carnivorous danus,

Click Start > Type regedit into the Search box and press Enter;
Registry editor will open, then please navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions...;
Click Advanced;
Under Owner tab select the entry starting with you user name, i.e: Marco(Marco-PC\Marco);
Put a check mark next to Replace owner on subcontainers and objects and click Apply and OK;
Under Security type while Everyone is selected put a check mark in the box under Allow next to Full Control;
Click Apply and OK.

If it's also failing to merge the file, then please read this article to enable the hidden Administrator Account on Windows Vista, make a login there and try to merge the using that account.

Marco

Great, got it. Here's the FSS.txt:
http://pastebin.com/2D2tEpi2

Hi carnivorous danus,

Which solution worked to you? Administrator account?
Well, let's wait for ipinip.sys to restore the file as it should.

Meanwhile, back to Regedit and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
Right-Click Root and select Permissions....
Under Owner tab select the entry starting with you user name, i.e: Marco(Marco-PC\Marco).
Remove a check mark next to Replace owner on subcontainers and objects and click Apply and OK.
Under Security type, highlight Everyone and put a check mark in the box under Allow, next to Read (the checkmark should still be there, only change it if it is not). Remove the checkmark in the box under Allow next to Full Control).
Click Apply and OK.

Then let's run another CFScript.

• Open Notepad by clicking the Start button. In the search box, type Notepad, and then, in the list of results, click Notepad;
  
• Then, please copy and paste the following content quoted below into Notepad window. Do NOT include the word "Quoted";
  
  

  Quoted

  KillAll::
  RegNull::
  [HKEY_USERS\S-1-5-21-1211825294-410278775-2010435404-1000\¬ î**]
  [HKEY_USERS\S-1-5-21-1211825294-410278775-2010435404-1000\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C53E0659-9AE2-70C3-B5B1-6F6DCDDBECD5}*]

• Save the document as CFScript.txt (do NOT change the filename) in your desktop;
  
• Disable your Avira Antivirus (Guard module / Realtime Protection) or ANY other security programs, antispyware or antimalware applications that are running in real time;
  
• Then, drag the CFScript.txt file into ComboFix.exe, as you see below;
  
  
  
  
• This action will start the ComboFix again;
  
• Do NOT click anywhere in the ComboFix window;
  
• Do NOT close ComboFix by clicking on red X in the upper left corner;
  
• Do NOT move the mouse and do NOT use the keyboard, as it can cause the tool to stall, crash and your desktop will go blank;
  
• After reboot, (in case it ask to reboot), please submit the Combofix.txt to Pastebin.com as usual;
  
• Please post the Pastebin URL related to ComboFix.txt in your next reply.

-----
Marco