Is my PC now clean?

A few weeks back my browser started getting hijacked ie occasional page redirects and general slowness.

Avira Antivirus wasnt picking up the cause so I downloaded SPyware doctor.

It found the following:

Rootkit.TDDS.V2
backdoor.doebyt

I then removed these using other products and manual methods.

This included using the following tools:
spyware doctor
super antispyware
combofix
malwarebytes anti malware
unhackme
tddskiller
rootkitrevealer
prevx
rkill
regassasin
mbrcheck
mdtools
zonealarm


At one point I obviously deleted/quaranteened a critical system file as the system wouldnt boot and i painstakingly fixed it making it bootable again.

Ive followed the instructiuons on the Windows XP Malware Removal/Cleaning Procedure sticky.

I've poured literally hundreds of hours into fixing this and come very close to formatting and starting over but i've been very reluctant to do the latter due the the things i have installed and all the lost settings and config.

I have since restored registry hives, done system restore, run the ms sfc tool and upgraded the security software and settings. Of course since then I've been looking out for issues and running lots more scans. I don't mind the glitches too much but just want to be as sure as i can be that the system is clean of viruses and malware.

I've been getting the following kind of issues though so wanted to check with an expert on here that nothing sinister is going on. These are tHings like:


Message from zonealarm on boot "userinit is trying to use avira in product messenging to acces the internet."


programs/handles not responding on shut down/log off "sw", "cftmon.exe"

no internet access upon reawaken from hibernate - fixable by shutting down and restarting zone alarm - think the internet lock is kicking in but it doesn't declare it as such.

explorer window starts up on boot, but is totally unresponsive - i do have the setting "restore my windows to the previous settings on". This appears to be irrespective of whether any explorer windows were open on the last shut down.

I'm also quite suspicious of adobe acrobat/reader - seems to be forever connecting to the internet for updates etc - i've uninstalled and reinstalled so its probably just bad software design.


also there seems to be some kind of outboud traffic attempt which got blocked by zonealarm - generic host 32 seems to have been trying to get out trying sequential ports - see attached image. Actually the log has cleared itself but suffice to say source was my pcs IP (varying ports with each attempt) destination always 8.8.8.8:53 (8.8.8.8 is defined in pc settings as dns server)

Maybe this is all just paranoia or perhaps there is resident malware on the system. I've spent so long fixing it i'm highly reluctant to reinstall windows.

Can anyone help pls!?

hijack this log attached. Can submit the MGlogs log output if that is helpful.

TIA.

 

Hi and welcome to Major Geeks, meb95sc!

You need to attach the logs from the sticky so I can review them.
I cannot help you with only the HiJackThis log you provided.

 

Apologies. Ok, heres the first few logs..

 

And the next few:


several malware bytes logs attached that show some removal/cleaning. ( i have run many more times than this but hopefully these are the pertinent ones)

Thanks for looking at this thisisu!

 

And finally the last 2! Looking back there were quite a lot of infections!

 

The SAS log......

 

http://img196.imageshack.us/img196/3557/tdsskiller.gif I want you to read and follow these instructions: TDSSKiller - How to run

http://img850.imageshack.us/img850/4124/mbam.gif I'd like you to run another scan with MBAM using the latest application version and definitions.

One of these older MBAM logs found a Ramnit infection. This is a particularly nasty worm. Let's see what your latest MBAM log says first before we do anything else.

http://img194.imageshack.us/img194/4930/combofix.gif Also run another scan with ComboFix as your log is quite old.

 

I'd already run TDSSKiller but have rerun again. Log attached. I've set most remaining things to skip as they're unsigned.

ive noticed further firewall blocking events - see the attached image - maybe i this is because i have now set the router to the internet zone?

I'm having problems updating MBAM - it throws an error msg but will keep trying then rerun combofix

 

http://img853.imageshack.us/img853/6741/addremovexp.gif From Add/Remove Programs (via Control Panel), please uninstall the below:

• Ad-Aware SE Personal
• Ask Toolbar
• Avira Free Antivirus
• Java(TM) 6 Update 2
• Java(TM) 6 Update 24
• Java(TM) 6 Update 3
• Java(TM) 6 Update 7
• Malwarebytes' Anti-Malware version 1.51.2.1300
• Registry Drill
• µTorrent
• ZoneAlarm Firewall
• ZoneAlarm Free
• ZoneAlarm Security Toolbar
• ZoneAlarm Security
• ZoneAlarm Toolbar

Now download and run mbam-clean.exe

http://img196.imageshack.us/img196/3557/tdsskiller.gif You did not follow the instructions I gave you. There is a reason why I gave you that link (so you can read and follow the directions).

http://img850.imageshack.us/img850/4124/mbam.gif Redownload MBAM from here.
If you are having trouble updating it, let me know and I will provide further assistance.

I want you to complete the above tasks before even attempting ComboFix.

 

Thanks for your replies.

I did read and follow the TDSSKiller instructions, as far as i'm aware to the letter. Is there something specifc you think i'm missing?

The first time i ran TDSSKiller several weeks ago it did find certain things which i used the fix/cure options on. I suppose that they have now been fixed so don't appear in the logs any longer. Is that a possible issue?

I will post some of the older logs on here.


Thats quite a lot of applications to unistall- is that necessary for to get MBAM to update or just considered rubbish?


MBAM its always the same error messge "PROGRAM_Error_updating (0,0,net exception)"
I've just been through the processs of updating MBAM - no change. Uninstall, reboot, reinstall - no change.
Ran mbam-clean.exe, reboot, turn off AV and firewall, reinstall - no change.

 

1st 4 TDSSK logs

 

Thanks for your replies.

There are so many TDSSK logs I've just added them all to the attached zip.

Iuninstalled most of those programs and now sucessfully updated MBAM. I'll post the log once the scan has finished

 

The current version of TDSSKiller is 2.7.11.0. I'd like for you to update it and run a scan.

 

Here we go.......

again zero detections because i've already run scans and done my best to eliminate them.

 

You are still heavily infected. Let's get started

AFTER you complete TDSSKiller, start with the below:

Unless you paid for it, uninstall this: PC Tools Spyware Doctor 9.0

http://img205.imageshack.us/img205/1894/otl.gif Fix items using OTL by OldTimer

Double-click OTL.exe to run. (Vista/7 right-click and select Run as Administrator)
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Copy the text in the code box below and paste it into the http://img14.imageshack.us/img14/66/otlcustomfix.png text-field.

Code:

[COLOR="DarkRed"]:services [/COLOR]
00000040
23657123
46386478
53142132
[COLOR="DarkRed"]:files[/COLOR]
C:\WINDOWS\$NtUninstallKB6923$
C:\Documents and Settings\Steve\Local Settings\Application Data\AskToolbar
C:\Documents and Settings\Steve\Local Settings\Application Data\Conduit
C:\Documents and Settings\Steve\Local Settings\Application Data\jsrpyoue.log
C:\Documents and Settings\Steve\Local Settings\Application Data\ZoneAlarm_Security
dir /s "C:\Documents and Settings\NetworkService\Local Settings\Application Data\App\" /c
C:\Documents and Settings\NetworkService\Local Settings\Application Data\App\qwjl.dll
C:\Documents and Settings\NetworkService\Local Settings\Application Data\App
C:\Documents and Settings\NetworkService\Local Settings\Application Data\F9230FBF-F40D-20C6-77E5-B0C27DF00AED.ico
C:\WINDOWS\system32\F9230FBF-F40D-20C6-77E5-B0C27DF00AED.ico
C:\WINDOWS\system32\c_7265209.nls
C:\WINDOWS\system32\drivers\23657123.sys
C:\WINDOWS\system32\drivers\46386478.sys
C:\WINDOWS\system32\drivers\53142132.sys
C:\Documents and Settings\Steve\Local Settings\temp\*.*
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\16OK9G7Y
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\1PIVB0O2
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\TW5B9S11
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Internet Explorer\DOMStore\WGO7DQ2C
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Media Player\Art Cache\LocalMLS\*.jpg
sc stop WMPNetworkSvc /c
sc config WMPNetworkSvc start= demand /c
C:\Documents and Settings\Steve\Application Data\AskToolbar
C:\Documents and Settings\Steve\Application Data\Avira
C:\$VAULT$.AVG
dir /s "c:\_687902_\" /c
C:\WINDOWS\Tasks\Ad-Aware SE Personal.job
C:\WINDOWS\Tasks\Scheduled Update for Ask Toolbar.job
C:\WINDOWS\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
C:\WINDOWS\Tasks\Spybot - Search & Destroy Updater -  Scheduled Task.job
C:\WINDOWS\AC54E5443E42443CA91DA00A6974C592.TMP
type "C:\rkill.log" /c
[COLOR="DarkRed"]:reg[/COLOR]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"McAfeeUpdaterUI"=-
"Adobe Reader Speed Launcher"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"qwjl"=-
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}]
[COLOR="DarkRed"]:commands[/COLOR]
[purity]
[emptytemp]
[resethosts]

Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
If the fix needed a reboot please do it.
Click the OK button (upon reboot).
When OTL is finished, Notepad will open. Close Notepad.
A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
Attach this log to your next message. (How to attach)
Note: This file could be rather large and you may be unable to attach it as a .log. If this is the case, use WinZip or something similar to compress it and then upload the .zip file here.

http://img194.imageshack.us/img194/4930/combofix.gif Now download and run ComboFix.exe from your desktop.
Attach the latest log whenever it is finished. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

Let me know how the PC is running after you have completed these steps.

 

AH ok, sorry i missed that.

When i try to download this version AVira flags it as "TR/Crypt.ULPM.Gen"
Maybe it's a false positive. I'll see if I can find a version direct from kaperskys website.

 

looks like it is a false positive according to this:
http://translate.google.co.uk/trans...fficial&biw=1920&bih=897&tbm=dsc&prmd=imvnsfd

I'll turn off avira whilst running this.

 

updated tddskiller and ran. nothingnew found.

ran otl as described. it needed to reboot after running.

windows then bsod on boot up.
safe mode same result.

otl broke my system big time.typing this on my mobile phone!

will see if i can fix as think it's some hdd scsi/xmass storage device driver that may be cause.

 

Seems the boot error is basically inaccessible boot device.

Got to the recovery console and did fixmbr and fixboot.

Same bsod.

Now running chkdsk.

Any idea what change otl made to cause this and how to fix
?

 

Chkdsk ran ok.


Just to confirm that the pc is now unbootable into any form of windows.

i also ran mbr.exe and that reported no problems.

I went through the tedious process of replacing the 5 registry hives but that made no difference so have reverted to the current ones in the hope that you are able to help by another method.

Any advice on how to revert / fix the OTL changes much appreciated!

the boot error msg is:
stop 0x0000007b (0xf789e524,0xc0000034, 0x00000000, 0x00000000)

 

ive managed to pull off the log file OLT produced via another pc -attached- but still cant get back into windows - been trying to fix much of the day - does the file help you see what has gone wrong with the boot process (ie which critical files/registry entries have been removed)

 

Hi,

Sorry to hear that you have a boot problem now. I have an idea what went wrong but unfortunately I won't be able to go into great detail on how attempt to recover from this until later this evening.

I provided some insight below:

Code:

21:56:20.0375 17036	ACPI            (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\drivers\[B][COLOR="Red"]tskB8.tmp[/COLOR][/B]

Code:

%systemroot%\System32\drivers [B][COLOR="red"].tmp files removed[/COLOR][/B]: 263040 bytes

It looks like at one time or another, acpi.sys was infected and renamed into a .tmp file.

I have attached a clean copy of acpi.sys from a clean Windows XP SP3 computer.

Put this file into C:\Windows\system32\drivers

Then attempt to reboot normally.

 

Thanks. I suspect it was previously deleted although there was already a file by the correct name and file size in the drivers folder (i probably presiously re-instated it). I overwrote it with your attached file in any case but it doesn't make any difference to the boot issue.

 

Try renaming acpi.sys to tskB8.tmp.

But keep a copy of acpi.sys there too

 

Ok trying that now..

 

O

Genius! Wow I've spent hours today fruitlessly trying to fix this.

Was on the verge of formatting again there.

Thanks so much!!

I guess it would be a good idea to rename and re point the .tmp file since its evidently system critical!

Running combofix now. Will post all logs shortly.

 

OK, here we go......

not sure that OTL log has changed since last posted but added for completeness.

 

You're welcome

Yes we should end up changing the ImagePath back to acpi.sys instead of tskB8.tmp. We should do this later though as I want to focus on removing malware. A lot was deleted but there are still some stubborn drivers present.

I'd like you to uninstall the below first as I want to ensure our next fix attempt doesn't run into any difficulties due to all the Security software you have installed.

• Avira Free Antivirus
• Java(TM) 6 Update 2
• Java(TM) 6 Update 3
• ZoneAlarm Firewall
• ZoneAlarm Free
• ZoneAlarm Security
• ZoneAlarm Toolbar

Also upload each of the following items highlighted in purple to VirusTotal.com and let me know the results of each:

Code:

"C:\WINDOWS\system32\drivers\"
23657123.sys  19 Jan 2012       98224  "[B][COLOR="Indigo"]23657123.sys[/COLOR][/B]"
46386478.sys  18 Jan 2012       98992  "[B][COLOR="Indigo"]46386478.sys[/COLOR][/B]"
53142132.sys  17 Jan 2012       98224  "[B][COLOR="Indigo"]53142132.sys[/COLOR][/B]"

Next I want you to run DeFogger. Attach the defogger_disable.log on your desktop after you have run it. (How to attach)

http://img254.imageshack.us/img254/945/baticonxp.gif Now run C:\MGtools\GetLogs.bat by double-clicking it.
This updates all of the logs inside MGlogs.zip.
When it is finished, attach C:\MGlogs.zip to your next message. (How to attach)

 

I ran those 3 driver files through virustotal (nice facility that!). All totally clean. I actually reinstated them back in the drivers folder (copied from the OTL moved files folder) when the pc wouldn't boot so they are not as persistent as they may appear. I've deleted them again now.

I did try to uninstall these versions of java on the last uninstall - some updates uninstalled but these 2 give me a "error applying transforms. Verify that the specified transform paths are valid" error.

I'll see if theres a fix online to sort this.


I'm hesitant to uninstall the antivirus and firewall - surely that will leave the pc open to attack, not to mention allow any trojans etc to report back to base?

I'll do so briefly to run defogger and get the logs but then will reinstall them.

I've just noticed that the settings in zonealarm have become wide open - ie various programs set with inbound internet server rights - is this a consequence of default settings being applied or possibly something more sinister. I had it quite tightly locked down before.


The good news is that the pc is now notably more responsive and not spending lots of time with the HDD hammering away for no apparent reason like it used to.

WMPNetwork isn't appearing in task manager and windows messenger has stopped auto starting.

It's getting there!

 

Managed to unistall the old java updates using a nice little dedicated tool i found called Java RA. One wonders why Sun dont remove them when you update...

I've attached logs.

Going to reinstall avira and firewall now as if would be daft to get another infection after all this effort!

 

attached.......

 

I've reinstalled antivirus and gone for comodo as this site rates it better.
Selected "defence plus" too after reading that it's not antivirus although not sure if thats differnet to the advice on here on "how to keep your pc malware free"

Notice quite a bit of port listening going on. See attached. Cause for concern?


Also when logging onto windows under another profile i get the error msg - see attached and the screen colours are all turned up excessively high - Something to do with the gfx card device driver but not sure if virus related. Any idea?

 

Everything seemed ok but suddenly had a lot of unexplained HDD activity so took a screen shot of running processes at the time. Logged off and the HDD stopped. Logged back on and got the warning message shown in the other attachment. Again this later point seems to be related to my gfx card drivers/software.

 

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]ClearJavaCache::[/COLOR]
[COLOR="DarkRed"]DirLook::[/COLOR]
C:\Documents and Settings\Steve\Application Data\Ozvup
C:\WINDOWS\MYTMP
[COLOR="DarkRed"]Folder::[/COLOR]
C\WINDOWS\$NtUninstallKB6923$

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

The rest of your logs and screenshots you provided appear to be software related as I am not finding any obvious traces of malware in your logs anymore.

 

I had to allow 2 or 3 process events which kicked off on comodo defense+ after the pc automatically rebooted - hopefully this didnt affect combofix.

Thanks for all your help with this over the last few days.



Couple of questions

-how much confidence would you have in the system being clean now?
( i have read http://technet.microsoft.com/library/cc512587.aspx )

- thinking of upgrading to windows 8 on release - do you know if it will be much better locked down in terms of virus/malware threats?

 

Delete this folder (the bolded one):

• c:\documents and settings\Steve\Application Data\Ozvup

You're welcome

From what I understand, Microsoft is trying to improve Windows 8 by making it less prone to getting infected with malware. That's about all I know though.

Your latest logs are all clean.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Do you still want to try to repair a part of the registry so that it looks for acpi.sys instead of tskB8.tmp??

If so, complete the below directions so I get a better idea of what all needs to be fixed:

http://img35.imageshack.us/img35/1911/miniregtool.gif Please download MiniRegTool.zip and unzip it.

• Run the tool.
• Copy and paste the following into the edit box:
  
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI
  HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ACPI
  HKEY_LOCAL_MACHINE\System\ControlSet002\Services\ACPI
  HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ACPI
  HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPI

• Check Export keys radio button.
• Press Go button and attach the result (Result.txt) that pops up. A copy of Result.txt will be saved in the same directory the tool is run.

 

THanks for remembering - here we go

 

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI]
"ImagePath"="system32\drivers\acpi.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ACPI]
"ImagePath"="system32\drivers\acpi.sys"
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPI]
"ImagePath"="system32\drivers\acpi.sys"

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

http://img35.imageshack.us/img35/1911/miniregtool.gif Afterwards, complete the steps in post #37 again.

 

I had to modify the mini reg tool output file by putting a carriage return at the top as the website is saying the file has already been uploaded to this thread - therefore presumably it hasnt changed.

Not sure therefore that will help on that basis?

 

Only 1 out of 3 entries changed. Not sure why it is having difficulty. We can try another way if you want.

http://img194.imageshack.us/img194/4930/combofix.gif Fixing items using ComboFix
Make sure that ComboFix.exe that you downloaded while doing the READ & RUN ME is on your desktop -- but do not run it.
If it is not on your desktop, the below will not work.
Shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
Open Notepad and copy/paste the text in the below code box into Notepad:

Code:

[COLOR="DarkRed"]KillAll::[/COLOR]
[COLOR="DarkRed"]Registry::[/COLOR]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI]
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,41,00,43,00,50,00,49,00,2e,00,73,\
  00,79,00,73,00,00,00

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPI]
"ImagePath"=hex(2):73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,64,00,\
  72,00,69,00,76,00,65,00,72,00,73,00,5c,00,41,00,43,00,50,00,49,00,2e,00,73,\
  00,79,00,73,00,00,00

Save this file as CFScript.txt to your desktop. So now you should have both CFScript.txt and ComboFix.exe on your desktop.
Now use your mouse to drag CFScript.txt on top of ComboFix.exe and then release.
http://softvisia.com/users/Night_Raven/Security/cfsdnd2.gif
This will launch ComboFix.
Note: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Allow ComboFix to update itself if prompted.
When ComboFix finishes, a log will be produced at C:\ComboFix.txt
Attach this log to your next message. (How to attach)

 

OK did this, combofix rebooted pc and got BSOD boot issue again - same error as before on boot up. Have had to monkey around and revert to registry backup from 13th Feb.

Ideally i need to fix the registry that I backup up after this happened so that programs installations and changes (not to mention malware cleaning !) arent lost. but i'm not sure how if indeed one can modify the registry hive files on a non bootable system on xp.

 

It's possible, you would have to do it from a CD or from the recovery console.

What is the current state of the PC? Are you unable to boot into Windows?

 

I've got the recovery console installed on the hdd but i don't know how to modify three registry from there. Seems there's some 3rd party software that you can burn to make a bootable cd but it seemed somewhat involved.


The pc was totally un bootable in normal and safe mode. Reverting to registry hive backups from the 13th has made it bootable again but obviously the registry is out of kilter with the installed programs. Doing this may also have reinstated malware registry entries.

 

http://img600.imageshack.us/img600/2693/mgtools.gif Now download the latest MGtools.exe to the root of your c: drive.

• Replace your existing MGtools.exe with this one.
• Now run this new MGtools.exe by double-clicking it. (Vista/7 right-click and select Run as Administrator)
• When it is finished, attach c:\MGlogs.zip to your next message. (How to attach)

 

ok here we go.

presume i will stick with these registry hives, in which case am i best to uninstall then reinstall comodo and avira?
Was there any Malware as of the 13th?

 

Yes I would say just leave these registry entries alone. It's a bit easier to change them while the OS is inactive. It is somewhat involved. You may ask for additional assistance about this in the Software forum if you'd like to pursue this.

I guess not, because these logs are clean, and you ran this scan on the 19th.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 of the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis if it present
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work through the below link:
    • How to Protect yourself from malware!

Be safe

 

Thanks for all your help with this. PC is now running sweetly.

 

No problem, surf safely!