desktop, admin rights, antivirus crashes while loading

so im not sure how i got this virus/spyware/trojan thing but it has removed my rights as admin, desktop, access to control panel. and it even crashes almost every antispy/anti virus program i install even in safe mode.

i have installed spybot, superantispyware, malwarebytes, and avg and when i do a scan the programs crash and im an no longer able to run them again.
when i try to open them it says
"windows cannot access the specified device, path, or fiel. you may not have the appropiate permossions to access the item."

and this is when i run in normal mode and safe mode. the programs get corrupt or something after i install and try to run.

i was reading through post and some people provide logs(the hijackthis program), so i tried to get one to post it here, but of course when it scans the program crashes and then i cant open it again.

so what can i do now...i cant take it to a professional or reinstall the disc it came with since i no longer have them. i have to do this manual. so what now..suggentions, help..

oh yeah i restored my computer to the onl day i could (the day before i got the virus) and my desktop, start menu everything was back, but it was only for a few seconds then the virus reactivaed or something and all my right were gone again.

*the only successful program that ive been able to run is spyware doctor but that has not removed the problem.

i can still use task manager + internet.

the rights to use explore.exe are gone too thats not a solution.


please help.

and i was able to use adwarebot and it says i have a trojan, and a geral downloader and zlob downloader, but adware could remove them since i did not buy the program

so i ran systemlook since its the only one i can run:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:03 on 09/09/2009 by Ronrris (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [04:00 04/08/2004] [04:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [04:00 04/08/2004] [04:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\Program Files\ThinkVantage Fingerprint Software\eventlog.dll --a--- 33280 bytes [22:57 14/08/2007] [22:57 14/08/2007] 0E7DFE44AAA02A1F523CD4180A443C30
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [04:00 04/08/2004] [04:00 04/08/2004] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

ComboFix

Please download ComboFix from Here or Here
Make sure to save the file, not open it, and in the file-name box, rename it to CMF.com
* IMPORTANT !!! Save CMF.com to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective
  programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on CMF.com & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

i couldnt install Cmf.com

i got pop up warning sign labeled

cmd.exect-Unable to locate component


"This application has failed to start because MSVCR80.Dll was not found. Re-installing the application may fix this problem."


i then click OK button and i get the message again, click Ok again and get it once more and then nothing loads.


EDIT: i downloaded the MSVCR80.Dll file from a site http://www.dll-files.com/dllindex/dll-files.shtml?msvcr80

and copied MSVCR80.Dll to system folder , but now when i open the cmf.com i get this:
"the produce entry point_initenv could not be located in the dynamic link library vmsvcrt.dll"

Hi

We shall re-route then.

Please close all anti virus, anti malware and any other open programs/windows so they do not interfere with the running of RootRepeal.

• Please download RootRepeal.zip from here.
  
• Extract the program file to your Desktop.
  
• Run the program RootRepeal.exe and go to the Report tab and click on the Scan button.
  
  
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the Desktop.
  
• Please copy/paste the contents of the report in your next reply.
  

NOTE! Please remove any e-mail address in the RootRepeal report (if present).

the RootRepeal.exe crashes/closes once it begins to scan.


i tried it in safe mode in admin and the same thing happened.
i really appreciate your help.

ill be on here all day, checking this topic every hour


EDIT: i m not sure if anymore anti virus programs are running, i uninstalled all of the ones i was on the add/remove using CCleaner.exe

i also ended everything on process tab in task manager expect for :
svchost.exe system
svchost.exe network
svchost.exe system
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
system+ system idle process

*these i couldnt close through taskmanager (thats what it said) or my comp turned off if i closed svchost

Log file is located at: C:\Documents and Settings\Ronrris\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB925902\KB925902

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928255\KB928255

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB928843\KB928843

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB929123\KB929123

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB930178\KB930178

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB935839\KB935839

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB936021\KB936021

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB936357\KB936357

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB938828\KB938828

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB938829\KB938829

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941202\KB941202

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d1\d1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d2\d2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d3\d3

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d4\d4

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d5\d5

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d6\d6

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d7\d7

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CSC\d8\d8

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\explorer.exe

[1] 2007-06-13 04:26:03 1033216 C:\WINDOWS\explorer.exe ()

[1] 2007-06-13 04:26:03 1033216 C:\WINDOWS\system32\dllcache\explorer.exe (Microsoft Corporation)

[2] 2007-01-05 21:59:44 1033216 C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP5\A0004296.exe (Microsoft Corporation)



Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\CheckPoint

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\InstalledSKUs\InstalledSKUs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\DFS\DFS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System\News\News

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\System_OEM\System_OEM

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\Temp\Temp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PIF\PIF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Registration\CRMLog\CRMLog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\security\logs\logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\SoftwareDistribution\authcabs\Downloaded\Downloaded

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Sun\Java\Deployment\Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1025\1025

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1028\1028

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1031\1031

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1037\1037

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1041\1041

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1042\1042

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\1054\1054

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\2052\2052

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3076\3076

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\3com_dmi\3com_dmi

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\MACHINE\MACHINE

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-2049760794-682003330-1003\S-1-5-21-515967899-2049760794-682003330-1003

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\appmgmt\S-1-5-21-515967899-2049760794-682003330-1007\S-1-5-21-515967899-2049760794-682003330-1007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\Media Player\Media Player

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\Certificates\Certificates

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CRLs\CRLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\SystemCertificates\My\CTLs\CTLs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Desktop\Desktop

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Favorites\Favorites

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\System\System

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Office\Groove\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\BTN%Copy%1\BTN%Copy%2\BTN%Copy%2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\Google Toolbar\Google Toolbar

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\GUM296.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\GUM8.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\GUM92.tmp\CrashReports\CrashReports

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\MPTelemetrySubmit\MPTelemetrySubmit

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\ZUM1.tmp\ZUM1.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\~nsu.tmp\~nsu.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\My Documents\My Documents

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\NetHood\NetHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\PrintHood\PrintHood

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\config\systemprofile\Recent\Recent

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\dhcp\dhcp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\drivers\disdn\disdn

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-03 21:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()

[2] 2004-08-03 21:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)



Found mount point : C:\WINDOWS\system32\export\export

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\Machine\Machine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\GroupPolicy\User\User

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNT

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\inetsrv\inetsrv

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\LogFiles\WUDF\WUDF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\Microsoft\Crypto\RSA\MachineKeys\MachineKeys

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\mui\dispspec\dispspec

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcust

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhw

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemreg

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\oobe\sample\sample

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\rundll32.exe

[1] 2004-08-03 21:00:00 33280 C:\WINDOWS\system32\rundll32.exe ()



Found mount point : C:\WINDOWS\system32\ShellExt\ShellExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\UpMedia\UpMedia

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\Logs\Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\bad\bad

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\mof\good\good

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wbem\snmp\snmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\wins\wins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\system32\xircom\xircom

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\2wswlog\2wswlog

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\config\config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\dun13\dun13

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\includes\includes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\resolutions\esp\pages\pages

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\skins\Srt\Srt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\skins\Update_Finish\Update_Finish

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\skins\Update_General\Update_General

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Temp\FinePoint\var\esp\esp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTemp

Mount point destination : \Device\__max++>\^



Finished!

Hi

STEP #1


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

@COPY /Y C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll C:\Eventlog.dll
@DIR /A/B C:\Eventlog.dll
@PAUSE
@DEL %0

Save this as MakeCopy.bat Choose to "Save type as - All Files"
It should look like this:
Double click on MakeCopy.bat & allow it to run

Post back to tell me what it says

------------


STEP #2

1. Download The Avenger2 by SwanDog46.
   
2. Unzip avenger.exe to your desktop.
   
3. Copy
   the text in the following quotebox by selecting all of it, and right clicking and selecting "Copy"
   
   

   Files to move:
   c:\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

   
   
4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
5. Read the prompt that appears, and press OK.
   
6. Paste the script into the textbox that appears, by right clicking and choosing "Paste".
   
7. Press the "Execute" button.
   
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
   

==

If anything ends in error, such as "Windows cannot find the file specified" or any other related errors, do not continue and post back here what the errors were.

for step #1

its says:
cmd.exe- Entry Point Not Found

The procedure entry point_initenv could not be located in the dynamic link library vmsvcrt.dll

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

once it restarted, avenger did not open on its own like you said, good thing you told me where the text file was located. thats why i took so long.

Hi

Please delete cmf.com.

==
Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

okay, its been 4 min of scanning.

im really excited, it usually closed after 2 sec of scanning, thanks a lot.
ill post what you said once its done scanning

Hi

Post when ready.

i will, 39 thousand files scanned so far, in 29 min with 11 infections.

i dont know how much longer it will take but ill definitely post it once its done.

thank you very much for helping me so far.

here is the log, now its asking me to restart so brb



Malwarebytes' Anti-Malware 1.41
Database version: 2777
Windows 5.1.2600 Service Pack 2

9/10/2009 9:58:22 PM
mbam-log-2009-09-10 (21-58-22).txt

Scan type: Full Scan (C:\|)
Objects scanned: 185343
Time elapsed: 1 hour(s), 25 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 13
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\tbsb07396.ietoolbar.1 (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb07396.tbsb07396 (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\tbsb07396.tbsb07396.3 (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar3.tbsb07396.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cleanup (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{b7d3e479-cc68-42b5-a338-938ece35f419} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\zango 10.3.75.0 (Adware.Zango) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Ronrris\Application Data\AdwareBot (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronrris\Application Data\AdwareBot\Log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronrris\Application Data\AdwareBot\Settings (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\db (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\report (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\res1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crissy\Application Data\ShoppingReport (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crissy\Application Data\ShoppingReport\cs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crissy\Application Data\ShoppingReport\cs\dwld (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.

Files Infected:
C:\Avenger\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP10\A0006252.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP11\A0009437.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP2\A0000044.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP2\A0000045.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP2\A0000046.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP2\A0000047.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP2\A0000049.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP5\A0003137.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronrris\Application Data\AdwareBot\rs.dat (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronrris\Application Data\AdwareBot\Log\2009 Sep 09 - 03_49_53 PM_828.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronrris\Application Data\AdwareBot\Log\2009 Sep 09 - 09_16_32 PM_343.log (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ronrris\Application Data\AdwareBot\Settings\ScanResults.pie (Rogue.AdwareBot) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\db\Aliases.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\db\Sites.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\dwld\WhiteList.xip (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\report\aggr_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\report\send_storage.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Admin\Application Data\ShoppingReport\cs\res1\WhiteList.dbs (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\Documents and Settings\Crissy\Application Data\ShoppingReport\cs\Config.xml (Adware.ShopperReports) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACnmtvxfjdbq.db (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\AdwareBot Scheduled Scan.job (Rogue.AdwareBot) -> Quarantined and deleted successfully.

Hi

I have bad news. Your logs reveal an information stealing trojan.

I recommend that you disconnect this PC from the Internet while not in use, and only reconnect to download any tools that are required and post replies back here. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation as soon as possible.

Resourceful links:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
Identity Theft Victims Guide - What to do

If you do not have access to a known clean computer, you will still need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

With that said, please do the following:

ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective
  programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.

can run conmbofix.exe

the produce entry point_initenv could not be located in the dynamic link library vmsvcrt.dll



*how can i disconnect from internet if i dont have access to start menu or desktop?

Hi

Please boot back to Normal Mode, if possible, then try the instructions again.

If ComboFix cannot run, please do another Full scan with Malwarebytes and post that log in your next reply.

everything that ive done so far has been done in normal mode.

i rebooted and tried to open combofix in safemode and same error, i then ran a full scan using Malwarebytes in safe mode (the one i posted earlier was in normal mode)

after the scan i tried again to open combofix in both normal and safe mode and i got the same error
"
the produce entry point_initenv could not be located in the dynamic link library vmsvcrt.dll"

here's the log i just ran in safe mode :

Malwarebytes' Anti-Malware 1.41
Database version: 2777
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/10/2009 11:44:56 PM
mbam-log-2009-09-10 (23-44-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 182830
Time elapsed: 55 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

We need to fix several issues that are causing malware to have control.

Please download DragonFix by DragonMaster Jay from here: http://hmoslabs.webs.com/DragonFix.zip

Save it to your Desktop. Extract the files.

Process:
1 Disable realtime protection.

2 Double-click RunFirst.vbs. Follow the prompts and make sure it completes.

3 Double-click DragonFix.reg, and follow the prompt.

4 Restart your computer.

==

1. Copy the text in the following quotebox by selecting all of it, and right clicking and selecting "Copy"
   
   
   

   Files to move:
   c:\windows\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

   
   
2. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
3. Read the prompt that appears, and press OK.
   
4. Paste the script into the textbox that appears , by right clicking and choosing "Paste".
   
5. Press the "Execute" button.
   
6. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
7. Upon
   reboot, a command prompt window will appear on your screen for a few
   seconds, and then Avenger's log will open. Please paste that log here
   in your next post.
   

for dragonfix, when i run runfirst.vbs i asks me to type in the name for the system restore.

i dont know what to put i cant go on without putting it.

Place in something simple like your name, or dragon. Anything, really.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open file "c:\windows\ServicePackFiles\i386\eventlog.dll" for move operation
File move operation "c:\windows\ServicePackFiles\i386\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.

Hi

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan.

==

Go Start and then to Run,
Type in: sfc /scannow
Click OK.
Have Windows CD/DVD handy.
If System File Checker (sfc) finds any errors, it may ask you for the CD/DVD.
If sfc does not find any errors in Windows XP, it will simply quit, without any message.

If you don't have Windows CD....

Go Start and then Run
type in regedit and click OK


Navigate to the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup

On the right hand side, find: SourcePath

It probably has an entry pointing to your CD-ROM drive, usually D and that is why it is asking for the XP CD.
All we need to do is change it to: C:
Now, double click the SourcePatch setting and a new box will pop up.
Change the drive letter from your CD drive to your root drive, usually C:
Close Registry Editor.

Now restart your computer and try sfc /scannow again!

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.

==

Post the following log in your next reply:

Malwarebytes log

Also, please tell me any errors that might have popped up in the SFC scan, and tell me how your computer is running.

here is the Malwarebytes log,
i will now start working on the System File Checker




Malwarebytes' Anti-Malware 1.41
Database version: 2782
Windows 5.1.2600 Service Pack 2

9/11/2009 3:46:43 PM
mbam-log-2009-09-11 (15-46-42).txt

Scan type: Full Scan (C:\|)
Objects scanned: 183966
Time elapsed: 1 hour(s), 23 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cleanup (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{173839D0-0CE0-4938-B2BF-2A7AC0952F88}\RP12\A0009780.exe (Trojan.Banker) -> Quarantined and deleted successfully.

Hi

Tell me when you completed it, please.

when i do sfc /scannow it asks for the cd which i dont have.

i changed the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup sourcepatch to C: like you said

i rebooted twice already and i get the same message, insert cd.
i then try to cancel it since, i only get the options retry/moreinfo/cancel

and a file protection scan starts but i get a pop up saying the following:

"files that are required for windows to run properly must be copied to the DLL Cache

insert your windows xp professional service pack 2 cd now"

anything i could do?

Hi

Please open SystemLook, and paste the contents of the quotebox below, in to the program, and click Look:

:filefind
c:\windows\ServicePackFiles\i386\eventlog.dll
C:\WINDOWS\system32\eventlog.dll

Post the results of that in your next reply.

==

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Full Scan, and press Scan.

Please post the SystemLook log and the Malwarebytes log in your next reply.

p3lover wrote:

when i do sfc /scannow it asks for the cd which i dont have.

i changed the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup sourcepatch to C: like you said

That should have been named C:\ if you do not have the \ backslash in there, it will not work.

Try that as well, then re-run SFC as I noted above.

here's the systemlook log, ill start scanning using malwarebytes right now (i usually takes over an hour to completely scan)

and i did have it as C:\ but i'll try it again



SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:27 on 11/09/2009 by Ronrris (Administrator - Elevation successful)

========== filefind ==========

Searching for "c:\windows\ServicePackFiles\i386\eventlog.dll"
No files found.

Searching for "C:\WINDOWS\system32\eventlog.dll"
No files found.

-=End Of File=-

yup, same error, it asks for the cd and says this

"files that are required for windows to run properly must be copied to the DLL Cache

insert your windows xp professional service pack 2 cd now"

i will now start the malwarebytes scan

Hi

I am going to upload a clean copy of eventlog.dll.

I will send the download link here soon. Please be patient, as I will post back here.

Hi

Please download eventlog.dll from here: http://rapidshare.com/files/278884477/eventlog.dll.html

Save it to your Desktop. Then, copy and paste it in to C:\Windows\System32

==

Post the Malwarebytes log when ready.

Malwarebytes' Anti-Malware 1.41
Database version: 2782
Windows 5.1.2600 Service Pack 2

9/11/2009 10:07:54 PM
mbam-log-2009-09-11 (22-07-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 183892
Time elapsed: 1 hour(s), 21 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

Was the copy of eventlog.dll placed in your System32 folder, successful?

yes

all i did was copy it to the folder you said.

i still have a copy in the desktop.

Hi

Your computer is clean!
Delete the eventlog.dll on your Desktop.
==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

• Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
  
• Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
  
• PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

but i still dont have my desktop, start menu, or admin rights

and i cant right click on the desktop.
i only have access to the task manager. i thought i told you in my very first post.


everything ive done so far has been through the task manger.

and really thank you very much for your help so far.

Hi

Please see the following article to restore security settings to their defaults, which will help admin rights to be regained.
http://support.microsoft.com/kb/313222

In the middle of the page, download "Microsoft Fix It"

Then, post back here with the results. Do you have admin rights?

==

TrendMicro HouseCall Java Scan

• Please go HERE to run the Trend Micro HouseCall Scan.
  
• Click Scan now. It's free!
  
• Read and put a Check next to Yes I accept the terms of use.
  
• Click the Launching HouseCall>> button.
  
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
  
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
  
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
  
• Please be patient while it installs, updates, and scans your system.
  
• Once the scan is complete, it will take you to the summary page.
  
• Under Cleanup options, choose clean all detected infections automatically.
  
• Click the Clean now>> button.
  
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

Please tell me of any results from that. Also, if any of the problems with crashing have been solved.

Microsoft Fix It is processing and restoring at a real slow rate, this will probably take a while

YESSSSS!!!!!! THANK YOU SOOOO MUCH!!!!!! WOOT!!!!

you are awesome!!!!!


my desktop is back, and so are my admin rights.

i am now going to run TrendMicro

everything runs real smoth, no problems at all, except for when i run trendmicro

once its a little bit more than 3/4 complete it freezes and stops scanning, it has a timer of how much longer till scan is complete and it stops when it freezes so im not running that again. i tried it 3 times.

Hi

How is the antivirus working? Does it crash?

Do you confirm the admin rights, and Desktop crashes have been fixed?

==

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually. It should delete SystemLook, Win32kDiag, ComboFix, and The Avenger.

everything works, thanks

but i dont have a anti virus
i only have malwarebyte, and pc tools firewall plus

is there a antivirus you recommend?

Hi

AVG: http://free.avg.com
avast!: http://www.avast.com
Avira Antivir: http://www.free-av.com

All my other recommendations for other types of software were listed in an earlier post. (I see you have PC Tools Firewall Plus )