I think I have the antivirusxp2009

I am not sure what I got as I wasn't the first to find the problem. In short we tried to fix this with no luck. Malwarebytes won't run and if I boot into safe mode I get the "blue screen of death". I am having problems running hijackthis also. I got it to run once an this is the log I got. Any and all help would be appreciated. Thank you

Here is my log:
Logfile of HijackThis v1.97.7
Scan saved at 12:58:08 PM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Games\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Hello Flat Lander,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

• If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  
• If you have any cracked/pirated software in your computer delete them or we will not help you.
  
• Only follow advise from Geek Police Staff and not a regular member.
  
• Do NOT run any tool without Geek Police supervision as it could hinder your system useless.
  

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

Thank you Origin, Here is my combofix log


ComboFix 09-07-19.01 - Owner 07/19/2009 8:10.1.1 - NTFSx86
Running from: c:\games\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\csrss.exe
c:\docume~1\Owner\LOCALS~1\Temp\services.exe
c:\docume~1\Owner\LOCALS~1\Temp\svchost.exe
c:\docume~1\Owner\LOCALS~1\Temp\taskmgr.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\ipuduwuq.pif
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\lose.dl
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\lyferidoj.bat
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zukaco.bat
C:\gfub.exe
C:\myacngu.exe
C:\p2hhr.bat
c:\recycler\S-1-5-21-122048960-4198321903-4111881677-1007
c:\recycler\S-1-5-21-122048960-4198321903-4111881677-1008
C:\rtdasr.exe
C:\vphih.exe
c:\windows\010112010146118114.dat
c:\windows\0101120101464849.dat
c:\windows\01011201014650120.dat
c:\windows\0101120101465749.dat
c:\windows\0101120101465752.dat
c:\windows\DRIVERS\beep.sys
c:\windows\Installer\284543e0.msi
c:\windows\ld12.exe
c:\windows\system32\_scui.cpl
c:\windows\system32\AutoRun.inf
c:\windows\system32\tmp.reg

c:\windows\system32\drivers\beep.sys . . . is infected!!

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-18 19:43 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-18 19:39 . 2009-07-18 19:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-18 19:37 . 2009-07-18 19:37 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-18 19:37 . 2009-07-18 19:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-07-18 19:37 . 2009-07-18 19:37 -------- d-----w- c:\program files\NOS
2009-07-18 13:50 . 2009-07-18 13:50 -------- d-----w- c:\program files\Trend Micro
2009-07-16 22:56 . 2009-07-16 22:56 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-07-16 22:55 . 2009-07-16 22:55 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-07-16 22:53 . 2009-07-16 22:53 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-07-16 21:39 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-16 21:39 . 2009-07-16 21:39 -------- d-----w- c:\windows\ie8updates
2009-07-16 21:38 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-16 21:38 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-16 21:33 . 2009-07-16 21:38 -------- dc-h--w- c:\windows\ie8
2009-07-15 02:41 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-15 02:40 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-15 02:40 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-15 02:40 . 2009-07-19 15:02 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-07-15 02:40 . 2009-07-15 02:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-15 02:40 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-15 02:40 . 2009-07-17 07:18 -------- d-----w- c:\program files\Spyware Doctor
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-07-15 02:08 . 2009-07-15 02:08 -------- d-----w- c:\program files\Enigma Software Group
2009-07-15 01:58 . 2009-07-15 01:58 18987 ----a-w- c:\documents and settings\Owner\Application Data\vapo.exe
2009-07-15 01:58 . 2009-07-15 01:58 17338 ----a-w- c:\windows\system32\kiqizuxade.com
2009-07-15 01:58 . 2009-07-15 01:58 15533 ----a-w- c:\program files\Common Files\olub.com
2009-07-15 01:58 . 2009-07-15 01:58 15269 ----a-w- c:\documents and settings\Owner\Application Data\pasobaky.dll
2009-07-15 01:58 . 2009-07-15 01:58 13588 ----a-w- c:\windows\jegozy.bin
2009-07-15 01:58 . 2009-07-15 01:58 13041 ----a-w- c:\documents and settings\Owner\Application Data\evodedujo.pif
2009-07-15 01:58 . 2009-07-15 01:58 11727 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\nygolonip.vbs
2009-07-15 01:58 . 2009-07-15 01:58 10829 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\rutepijary.com
2009-07-15 01:58 . 2009-07-15 01:58 10448 ----a-w- c:\windows\ojidiq.reg
2009-07-15 01:50 . 2009-07-15 01:50 19164 ----a-w- c:\windows\system32\pimuvah.sys
2009-07-15 01:50 . 2009-07-15 01:50 18739 ----a-w- c:\windows\kyto.scr
2009-07-15 01:50 . 2009-07-15 01:50 15929 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\mibupupa.dll
2009-07-15 01:50 . 2009-07-15 01:50 15021 ----a-w- c:\windows\system32\opufyd.pif
2009-07-15 01:50 . 2009-07-15 01:50 14128 ----a-w- c:\program files\Common Files\unequ.pif
2009-07-15 01:50 . 2009-07-15 01:50 13182 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\jyvez.reg
2009-07-15 01:50 . 2009-07-15 01:50 11756 ----a-w- c:\documents and settings\Owner\Application Data\topaceb.bat
2009-07-15 01:50 . 2009-07-15 01:50 11542 ----a-w- c:\windows\system32\nuseqo.com
2009-07-15 01:50 . 2009-07-15 01:50 11501 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\etecym.reg
2009-07-15 01:50 . 2009-07-15 01:50 10008 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\ryrorehic.dll
2009-07-15 00:03 . 2009-07-15 02:47 238642 ----a-w- c:\windows\system32\wisdstr.exe
2009-07-14 23:57 . 2009-07-14 23:57 24576 ----a-w- C:\fhlyeby.exe
2009-07-14 23:57 . 2009-07-14 23:57 11264 ----a-w- C:\benfuse.exe
2009-07-14 23:57 . 2009-07-16 11:54 278 ----a-w- c:\documents and settings\Owner\Application Data\AdobeUM\delself.bat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 20:19 . 2009-03-31 22:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 19:42 . 2004-05-16 16:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-15 01:58 . 2009-07-15 01:58 15014 ----a-w- c:\documents and settings\Owner\Application Data\beri.bin
2009-07-15 01:58 . 2009-07-15 01:58 13800 ----a-w- c:\program files\Common Files\murawyhyr._sy
2009-07-15 01:58 . 2009-07-15 01:58 12301 ----a-w- c:\documents and settings\Owner\Application Data\gakikuxaq.bin
2009-07-15 01:50 . 2009-07-15 01:50 13472 ----a-w- c:\program files\Common Files\obexo.db
2009-07-15 01:50 . 2009-07-15 01:50 11477 ----a-w- c:\program files\Common Files\uqihaha.ban
2009-07-14 23:57 . 2004-05-27 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-13 20:36 . 2009-03-31 22:56 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-03-31 22:56 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 20:01 . 2009-02-09 00:46 -------- d-----w- c:\program files\3DO
2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2003-05-13 18:28 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 20:24 . 2009-05-20 20:24 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-13 05:15 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2007-03-03 01:15 . 2007-03-03 01:15 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-12-30 13:19 . 2007-02-20 00:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-30 13:19 . 2007-02-20 00:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-30 13:19 . 2007-02-20 00:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-30 13:19 . 2007-02-20 00:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-30 13:19 . 2007-02-20 00:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-06-05 17:12 . 2006-06-05 17:12 8 --sh--r- c:\windows\SYSTEM32\C359C33EBB.sys
2006-06-05 17:12 . 2006-06-05 17:12 3350 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------


[-] 2009-07-18 13:28 28672 9BA5A2F0BC70019C96510D730F5692DD c:\windows\SYSTEM32\DLLCACHE\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\SYSTEM32\DRIVERS\bsstor.sys [12/27/2003 6:10 PM 9344]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [7/14/2009 7:40 PM 130936]
R2 BsUDF;InCD UDF Driver;c:\windows\SYSTEM32\DRIVERS\bsudf.sys [12/27/2003 6:10 PM 455552]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/18/2009 12:37 PM 66056]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/14/2009 7:40 PM 348752]
S3 VVBETHERNET;Actiontec Gateway Service;c:\windows\SYSTEM32\DRIVERS\VVBETH.SYS [12/27/2003 4:48 PM 15309]
S3 vvbususb;Actiontec Gateway USB Service;c:\windows\SYSTEM32\DRIVERS\VVBUSUSB.SYS [12/27/2003 4:48 PM 50911]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ca83abc9-2aa2-11d8-badc-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe739306-9fc5-11dd-bdeb-806d6172696f}]
\Shell\AutoRun\command - E:\AP_SETUP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gh5zw9eu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 08:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-07-19 8:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-19 15:33

Pre-Run: 40,314,138,624 bytes free
Post-Run: 43,211,001,856 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

222 --- E O F --- 2009-07-16 21:40

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
proquota.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here is the log from systemlook

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 10:10 on 19/07/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "proquota.exe"
C:\I386\PROQUOTA.EXE --a--- 45056 bytes [00:12 10/12/2003] [11:00 29/08/2002] B2A23CE7706D4B4A7D192761CD3DB3E1
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe -----c 50176 bytes [12:46 01/04/2009] [07:56 04/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINDOWS\ServicePackFiles\i386\proquota.exe ------ 50176 bytes [07:56 04/08/2004] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8

-=End Of File=-

Now open a new notepad file.
Input this into the notepad file:

FCopy::
C:\WINDOWS\$NtServicePackUninstall$\proquota.exe | c:\windows\system32\proquota.exe

File::
c:\documents and settings\Owner\Application Data\vapo.exe
c:\windows\system32\kiqizuxade.com
c:\windows\jegozy.bin
c:\documents and settings\Owner\Application Data\evodedujo.pif
c:\documents and settings\Owner\Local Settings\Application Data\nygolonip.vbs
c:\documents and settings\All Users.WINDOWS\Application Data\rutepijary.com
c:\windows\ojidiq.reg
c:\windows\system32\pimuvah.sys
c:\windows\kyto.scr
c:\documents and settings\Owner\Local Settings\Application Data\mibupupa.dll
c:\windows\system32\opufyd.pif
c:\program files\Common Files\unequ.pif
c:\documents and settings\Owner\Local Settings\Application Data\jyvez.reg
c:\documents and settings\Owner\Application Data\topaceb.bat
c:\windows\system32\nuseqo.com
c:\documents and settings\Owner\Local Settings\Application Data\etecym.reg
c:\documents and settings\All Users.WINDOWS\Application Data\ryrorehic.dll
c:\windows\system32\wisdstr.exe
C:\fhlyeby.exe
C:\benfuse.exe
c:\documents and settings\Owner\Application Data\AdobeUM\delself.bat
c:\documents and settings\Owner\Application Data\beri.bin
c:\program files\Common Files\murawyhyr._sy
c:\documents and settings\Owner\Application Data\gakikuxaq.bin
c:\program files\Common Files\obexo.db
c:\program files\Common Files\uqihaha.ban

Rookit::
c:\windows\SYSTEM32\C359C33EBB.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Here is the next log:

ComboFix 09-07-19.02 - Owner 07/19/2009 16:05.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.263 [GMT -7:00]
Running from: c:\games\Combo-Fix.exe
Command switches used :: c:\games\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"C:\benfuse.exe"
"c:\documents and settings\All Users.WINDOWS\Application Data\rutepijary.com"
"c:\documents and settings\All Users.WINDOWS\Application Data\ryrorehic.dll"
"c:\documents and settings\Owner\Application Data\AdobeUM\delself.bat"
"c:\documents and settings\Owner\Application Data\beri.bin"
"c:\documents and settings\Owner\Application Data\evodedujo.pif"
"c:\documents and settings\Owner\Application Data\gakikuxaq.bin"
"c:\documents and settings\Owner\Application Data\topaceb.bat"
"c:\documents and settings\Owner\Application Data\vapo.exe"
"c:\documents and settings\Owner\Local Settings\Application Data\etecym.reg"
"c:\documents and settings\Owner\Local Settings\Application Data\jyvez.reg"
"c:\documents and settings\Owner\Local Settings\Application Data\mibupupa.dll"
"c:\documents and settings\Owner\Local Settings\Application Data\nygolonip.vbs"
"C:\fhlyeby.exe"
"c:\program files\Common Files\murawyhyr._sy"
"c:\program files\Common Files\obexo.db"
"c:\program files\Common Files\unequ.pif"
"c:\program files\Common Files\uqihaha.ban"
"c:\windows\jegozy.bin"
"c:\windows\kyto.scr"
"c:\windows\ojidiq.reg"
"c:\windows\system32\kiqizuxade.com"
"c:\windows\system32\nuseqo.com"
"c:\windows\system32\opufyd.pif"
"c:\windows\system32\pimuvah.sys"
"c:\windows\system32\wisdstr.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\benfuse.exe
c:\documents and settings\All Users.WINDOWS\Application Data\rutepijary.com
c:\documents and settings\All Users.WINDOWS\Application Data\ryrorehic.dll
c:\documents and settings\Owner\Application Data\AdobeUM\delself.bat
c:\documents and settings\Owner\Application Data\beri.bin
c:\documents and settings\Owner\Application Data\evodedujo.pif
c:\documents and settings\Owner\Application Data\gakikuxaq.bin
c:\documents and settings\Owner\Application Data\topaceb.bat
c:\documents and settings\Owner\Application Data\vapo.exe
c:\documents and settings\Owner\Local Settings\Application Data\etecym.reg
c:\documents and settings\Owner\Local Settings\Application Data\jyvez.reg
c:\documents and settings\Owner\Local Settings\Application Data\mibupupa.dll
c:\documents and settings\Owner\Local Settings\Application Data\nygolonip.vbs
C:\fhlyeby.exe
c:\program files\Common Files\murawyhyr._sy
c:\program files\Common Files\obexo.db
c:\program files\Common Files\unequ.pif
c:\program files\Common Files\uqihaha.ban
c:\windows\jegozy.bin
c:\windows\kyto.scr
c:\windows\ojidiq.reg
c:\windows\system32\kiqizuxade.com
c:\windows\system32\nuseqo.com
c:\windows\system32\opufyd.pif
c:\windows\system32\pimuvah.sys
c:\windows\system32\wisdstr.exe

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\proquota.exe --> c:\windows\system32\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-06-19 to 2009-07-19 )))))))))))))))))))))))))))))))
.

2009-07-19 23:05 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-19 23:05 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-18 19:43 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-18 19:39 . 2009-07-18 19:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-18 19:37 . 2009-07-18 19:37 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-18 19:37 . 2009-07-18 19:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-07-18 19:37 . 2009-07-18 19:37 -------- d-----w- c:\program files\NOS
2009-07-18 13:50 . 2009-07-18 13:50 -------- d-----w- c:\program files\Trend Micro
2009-07-16 22:56 . 2009-07-16 22:56 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-07-16 22:55 . 2009-07-16 22:55 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-07-16 22:53 . 2009-07-16 22:53 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-07-16 21:39 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-16 21:39 . 2009-07-16 21:39 -------- d-----w- c:\windows\ie8updates
2009-07-16 21:38 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-16 21:38 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-16 21:33 . 2009-07-16 21:38 -------- dc-h--w- c:\windows\ie8
2009-07-15 02:41 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-15 02:40 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-15 02:40 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-15 02:40 . 2009-07-19 15:02 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-07-15 02:40 . 2009-07-15 02:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-15 02:40 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-15 02:40 . 2009-07-17 07:18 -------- d-----w- c:\program files\Spyware Doctor
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-07-15 02:08 . 2009-07-15 02:08 -------- d-----w- c:\program files\Enigma Software Group
2009-07-15 01:58 . 2009-07-15 01:58 15533 ----a-w- c:\program files\Common Files\olub.com
2009-07-15 01:58 . 2009-07-15 01:58 15269 ----a-w- c:\documents and settings\Owner\Application Data\pasobaky.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 23:15 . 2004-05-27 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-18 20:19 . 2009-03-31 22:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 19:42 . 2004-05-16 16:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 20:36 . 2009-03-31 22:56 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-03-31 22:56 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 20:01 . 2009-02-09 00:46 -------- d-----w- c:\program files\3DO
2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2003-05-13 18:28 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 20:24 . 2009-05-20 20:24 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-13 05:15 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2007-03-03 01:15 . 2007-03-03 01:15 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-12-30 13:19 . 2007-02-20 00:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-30 13:19 . 2007-02-20 00:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-30 13:19 . 2007-02-20 00:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-30 13:19 . 2007-02-20 00:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-30 13:19 . 2007-02-20 00:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-06-05 17:12 . 2006-06-05 17:12 8 --sh--r- c:\windows\SYSTEM32\C359C33EBB.sys
2006-06-05 17:12 . 2006-06-05 17:12 3350 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------


[-] 2009-07-18 13:28 28672 9BA5A2F0BC70019C96510D730F5692DD c:\windows\SYSTEM32\DLLCACHE\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\SYSTEM32\DRIVERS\bsstor.sys [12/27/2003 6:10 PM 9344]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [7/14/2009 7:40 PM 130936]
R2 BsUDF;InCD UDF Driver;c:\windows\SYSTEM32\DRIVERS\bsudf.sys [12/27/2003 6:10 PM 455552]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/18/2009 12:37 PM 66056]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/14/2009 7:40 PM 348752]
S3 VVBETHERNET;Actiontec Gateway Service;c:\windows\SYSTEM32\DRIVERS\VVBETH.SYS [12/27/2003 4:48 PM 15309]
S3 vvbususb;Actiontec Gateway USB Service;c:\windows\SYSTEM32\DRIVERS\VVBUSUSB.SYS [12/27/2003 4:48 PM 50911]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gh5zw9eu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-19 16:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-07-19 16:23
ComboFix-quarantined-files.txt 2009-07-19 23:22
ComboFix2.txt 2009-07-19 15:33

Pre-Run: 43,185,905,664 bytes free
Post-Run: 43,158,941,696 bytes free

197 --- E O F --- 2009-07-16 21:40

Now open a new notepad file.
Input this into the notepad file:

Rootkit::
c:\windows\SYSTEM32\C359C33EBB.sys

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

OK here is the next one:

ComboFix 09-07-20.01 - Owner 07/20/2009 15:04.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.241 [GMT -7:00]
Running from: c:\games\Combo-Fix.exe
Command switches used :: c:\games\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-06-20 to 2009-07-20 )))))))))))))))))))))))))))))))
.

2009-07-19 23:05 . 2004-08-04 07:56 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-19 23:05 . 2004-08-04 07:56 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-18 19:43 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-07-18 19:39 . 2009-07-18 19:39 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-18 19:37 . 2009-07-18 19:37 86016 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS\Adobe_Downloads\arh.exe
2009-07-18 19:37 . 2009-07-18 19:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NOS
2009-07-18 19:37 . 2009-07-18 19:37 -------- d-----w- c:\program files\NOS
2009-07-18 13:50 . 2009-07-18 13:50 -------- d-----w- c:\program files\Trend Micro
2009-07-16 22:56 . 2009-07-16 22:56 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE
2009-07-16 22:55 . 2009-07-16 22:55 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
2009-07-16 22:53 . 2009-07-16 22:53 -------- d-sh--w- c:\documents and settings\Owner\IETldCache
2009-07-16 21:39 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-16 21:39 . 2009-07-16 21:39 -------- d-----w- c:\windows\ie8updates
2009-07-16 21:38 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-16 21:38 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-16 21:33 . 2009-07-16 21:38 -------- dc-h--w- c:\windows\ie8
2009-07-15 02:41 . 2008-12-11 15:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-07-15 02:40 . 2009-04-03 18:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-07-15 02:40 . 2008-12-18 19:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-15 02:40 . 2009-07-19 15:02 -------- d---a-w- c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
2009-07-15 02:40 . 2009-07-15 02:41 -------- d-----w- c:\program files\Common Files\PC Tools
2009-07-15 02:40 . 2008-12-10 18:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-07-15 02:40 . 2009-07-17 07:18 -------- d-----w- c:\program files\Spyware Doctor
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\documents and settings\Owner\Application Data\PC Tools
2009-07-15 02:40 . 2009-07-15 02:40 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PC Tools
2009-07-15 02:08 . 2009-07-15 02:08 -------- d-----w- c:\program files\Enigma Software Group
2009-07-15 01:58 . 2009-07-15 01:58 15533 ----a-w- c:\program files\Common Files\olub.com
2009-07-15 01:58 . 2009-07-15 01:58 15269 ----a-w- c:\documents and settings\Owner\Application Data\pasobaky.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-19 23:15 . 2004-05-27 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM
2009-07-18 20:19 . 2009-03-31 22:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-18 19:42 . 2004-05-16 16:07 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-13 20:36 . 2009-03-31 22:56 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-03-31 22:56 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 20:01 . 2009-02-09 00:46 -------- d-----w- c:\program files\3DO
2009-06-16 14:36 . 2003-07-16 20:47 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-07-16 20:28 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2003-05-13 18:28 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-20 20:24 . 2009-05-20 20:24 2967799 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-13 05:15 . 2004-02-07 01:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:32 . 2003-07-16 20:32 345600 ----a-w- c:\windows\system32\localspl.dll
2007-03-03 01:15 . 2007-03-03 01:15 50688 ----a-w- c:\program files\ATF-Cleaner.exe
2008-12-30 13:19 . 2007-02-20 00:05 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-30 13:19 . 2007-02-20 00:05 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-30 13:19 . 2007-02-20 00:05 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-30 13:19 . 2007-02-20 00:05 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2008-12-30 13:19 . 2007-02-20 00:05 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2006-06-05 17:12 . 2006-06-05 17:12 3350 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
.

------- Sigcheck -------


[-] 2009-07-18 13:28 28672 9BA5A2F0BC70019C96510D730F5692DD c:\windows\SYSTEM32\DLLCACHE\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-16 13529088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\backWeb-7288971.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\Winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"c:\\Program Files\\GameHouse\\TextTwist\\TextTwist.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 BsStor;InCD Storage Helper Driver;c:\windows\SYSTEM32\DRIVERS\bsstor.sys [12/27/2003 6:10 PM 9344]
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [7/14/2009 7:40 PM 130936]
R2 BsUDF;InCD UDF Driver;c:\windows\SYSTEM32\DRIVERS\bsudf.sys [12/27/2003 6:10 PM 455552]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [7/18/2009 12:37 PM 66056]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/14/2009 7:40 PM 348752]
S3 VVBETHERNET;Actiontec Gateway Service;c:\windows\SYSTEM32\DRIVERS\VVBETH.SYS [12/27/2003 4:48 PM 15309]
S3 vvbususb;Actiontec Gateway USB Service;c:\windows\SYSTEM32\DRIVERS\VVBUSUSB.SYS [12/27/2003 4:48 PM 50911]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.yahoo.com/
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gh5zw9eu.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-20 15:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\windows\SYSTEM32\DRIVERS\KodakCCS.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2009-07-20 15:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-20 22:23
ComboFix2.txt 2009-07-19 23:23
ComboFix3.txt 2009-07-19 15:33

Pre-Run: 43,125,395,456 bytes free
Post-Run: 43,096,219,648 bytes free

155 --- E O F --- 2009-07-16 21:40

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Here is the MBAM log:


Malwarebytes' Anti-Malware 1.39
Database version: 2475
Windows 5.1.2600 Service Pack 3

7/21/2009 2:55:15 PM
mbam-log-2009-07-21 (14-55-15).txt

Scan type: Quick Scan
Objects scanned: 128141
Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\CLSID\{46c166aa-3108-11d4-9348-00c04f8eeb71}\inprocserver32\(default) (Hijack.Hnetcfg) -> Bad: (\\?\globalroot\systemroot\installer\284543e0.msi) Good: (hnetcfg.dll) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\kart_1247619820 (Trojan.LdPinch) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\application data\pasobaky.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Cookies\egiqef.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\Cookies\ykaqu.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DLLCACHE\beep.sys (Fake.Beep.sys) -> Quarantined and deleted successfully.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

No pop-ups but I have been keeping the family off of it for the last few days. I will give it a go. Thanks so much.

No problem, glad we could

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.