Nothing scans even in Safe Mode

2 posters

WiredWX Christian Hobby Weather Tools :: GeekPolice tech support archive :: Technical Support

Nothing scans even in Safe Mode12th September 2009, 11:44 pm

Hello,

Got hit with a virus this afternoon. I tried to reboot into Safe Mode and do the usual, run HJT, Avast!, MWB, etc., but even in Safe Mode all of the programs get shut down as they start scanning. This virus even does something to the executable files for Avast, HJT, and MWB so that they can't be run again after they've been run once (I've taken to copying the EXE files before running them now).

Would greatly appreciate any help on this subject.

Re: Nothing scans even in Safe Mode13th September 2009, 1:33 am

Hi

Please download ComboFix from Here or Here to your Desktop.

**Note:
In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

If you are using Firefox, make sure that your download settings are as follows:
- Tools->Options->Main tab
- Set to "Always ask me where to Save the files".

During the download, rename Combofix to Combo-Fix as follows:

Nothing scans even in Safe Mode CF_download_FF

Nothing scans even in Safe Mode CF_download_rename

It is important you rename Combofix during the download, but not after.

Please do not rename Combofix to other names, but only to the one indicated.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

Double click on combo-Fix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name
Combofix.exe to iexplore.exe instead, or winlogon.exe.
This is because it also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

Re: Nothing scans even in Safe Mode13th September 2009, 3:31 am

Hello DragonMaster Jay,

I've tried booting up in Safe Mode and running Combo-Fix.exe as explorer.exe, iexplore.exe, and winlogon.exe. Each time the program boots up, the gray bar fills up, and then the program seemingly shuts down. I get no prompt and no logfile is created.

Thanks for your help so far.

Re: Nothing scans even in Safe Mode13th September 2009, 3:38 am

Hi

I suspect a file infector, but it is needed to make sure. Try an online scan:

Please do a scan with Kaspersky Online Scanner
Click on the Accept button and install any components it needs.

The program will install and then begin downloading the latest definition files.
After the files have been downloaded on the left side of the page in the Scan section select My Computer.
This will start the program and scan your system.
The scan will take a while, so be patient and let it run.
Once the scan is complete, click on View scan report
Now, click on the Save Report as button.
Save the file to your desktop.
Copy and paste that information in your next post.

Re: Nothing scans even in Safe Mode13th September 2009, 3:57 pm

Hello DragonMaster Jay,

I've tried running the Kaspersky Online Scanner. It downloads just fine, gets the updates, but then hangs on imagehlp.dll. I've tried this about 4 times and it keeps on doing the same thing. I've let it go for 40 minutes, and it still cannot finish scanning that one file.

Re: Nothing scans even in Safe Mode13th September 2009, 6:06 pm

Hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
:filefind scecli.dll netlogon.dll eventlog.dll imagehlp.dll winlogon.exe winload.exe wininit.exe userinit.exe
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Re: Nothing scans even in Safe Mode13th September 2009, 6:19 pm

Hello DragonMaster Jay,

Here is the log from SystemLook.exe

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:11 on 13/09/2009 by Dark Sword (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 174080 bytes [02:39 04/08/2005] [12:00 23/08/2001] 73968C834C316ADC7A2F07DC4B5F3665
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 180224 bytes [07:56 04/08/2004] [07:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\scecli.dll --a--- 181248 bytes [01:29 26/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [12:00 23/08/2001] [07:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 397824 bytes [02:39 04/08/2005] [12:00 23/08/2001] F41C1602DC79AB72035F2388FCA0255F
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [07:56 04/08/2004] [07:56 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\netlogon.dll --a--- 407040 bytes [01:29 26/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [12:00 23/08/2001] [07:56 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 47616 bytes [02:39 04/08/2005] [12:00 23/08/2001] A510B91253544D56B5712D66BE8371E9
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 55808 bytes [07:56 04/08/2004] [07:56 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\eventlog.dll --a--- 56320 bytes [01:28 26/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [12:00 23/08/2001] [07:56 04/08/2004] (Unable to calculate MD5)

Searching for "imagehlp.dll"
C:\Program Files\AIM\Sysfiles\imagehlp.dll --a--- 114688 bytes [05:05 19/08/2005] [00:30 02/05/2000] CCCDDB480EE79D9FEF804D393D782AE9
C:\WINDOWS\$NtServicePackUninstall$\imagehlp.dll -----c 126976 bytes [02:39 04/08/2005] [12:00 23/08/2001] A199848C4A4C4680FE68B369B6C56ADC
C:\WINDOWS\ServicePackFiles\i386\imagehlp.dll ------ 144384 bytes [07:56 04/08/2004] [07:56 04/08/2004] 5AFCE94E8286B2F57A04DA37F01BF21A
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\imagehlp.dll --a--- 144384 bytes [01:28 26/08/2008] [00:11 14/04/2008] CA648BD638245EB83F971FF71B031BEC
C:\WINDOWS\system32\imagehlp.dll --a--- 144384 bytes [12:00 23/08/2001] [07:56 04/08/2004] 5AFCE94E8286B2F57A04DA37F01BF21A

Searching for "winlogon.exe"
C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c 430080 bytes [02:39 04/08/2005] [12:00 23/08/2001] 02B61BAFFF7B020FC9F3C6D185219F77
C:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------ 502272 bytes [07:56 04/08/2004] [07:56 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe --a--- 507904 bytes [01:30 26/08/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [12:00 23/08/2001] [07:56 04/08/2004] 01C3346C241652F43AED8E2149881BFE

Searching for "winload.exe"
No files found.

Searching for "wininit.exe"
No files found.

Searching for "userinit.exe"
C:\WINDOWS\$NtServicePackUninstall$\userinit.exe -----c 21504 bytes [02:39 04/08/2005] [12:00 23/08/2001] 585398603F570F9705774D65D292E5D1
C:\WINDOWS\ServicePackFiles\i386\userinit.exe ------ 24576 bytes [07:56 04/08/2004] [07:56 04/08/2004] 39B1FFB03C2296323832ACBAE50D2AFF
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe --a--- 26112 bytes [01:30 26/08/2008] [00:12 14/04/2008] A93AEE1928A9D7CE3E16D24EC7380F89
C:\WINDOWS\system32\userinit.exe --a--- 24576 bytes [12:00 23/08/2001] [07:56 04/08/2004] 39B1FFB03C2296323832ACBAE50D2AFF

-=End Of File=-

Re: Nothing scans even in Safe Mode13th September 2009, 6:59 pm

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

Under "Input script here:", paste in the script from the quote box above.
Leave the ticked box "Scan for rootkit" ticked.
Then tick "Disable any rootkits found"
Now click on the Execute to begin execution of the script.
Answer "Yes" twice when prompted.

The Avenger will automatically do the following:
It will Restart your computer.
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

4. Please copy/paste the content of c:\avenger.txt into your reply.

==

Nothing scans even in Safe Mode Mbamicontw5

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
Please save the log to a location you will remember.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

==

Please include The Avenger report, and a Malwarebytes log, in your next reply.

Re: Nothing scans even in Safe Mode13th September 2009, 10:12 pm

Hello DragonMaster Jay,

Here is the avenger.txt log and two logs from Malware bytes. I realized that I had gone into Safe Mode without networking the first time, but let the scan finish, and scanned once more after logging in with networking and updating MWB.

Here's the avenger log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Here's MWB log 1:

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/13/2009 3:49:52 PM
mbam-log-2009-09-13 (15-49-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 306775
Time elapsed: 1 hour(s), 14 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\UACxfdpjtnmoe.dll (Trojan.Agent) -> Delete on reboot.
\\?\globalroot\systemroot\system32\UACyyuedbpepm.dll (Rootkit.TDSS) -> Delete on reboot.
\\?\globalroot\systemroot\system32\UACbnymripypu.dll (Rootkit.TDSS) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\dnscache.dnscacheobj (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dnscache.dnscacheobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5af42a2-94f3-42bd-f434-3604812c897d} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TDSSserv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\cleanup (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\UACxfdpjtnmoe.dll (Trojan.Agent) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\UACyyuedbpepm.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
\\?\globalroot\systemroot\system32\UACbnymripypu.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Avenger\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\phcn01j0e97g.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Here's MWB log 2:

Malwarebytes' Anti-Malware 1.41
Database version: 2792
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/13/2009 4:49:51 PM
mbam-log-2009-09-13 (16-49-51).txt

Scan type: Full Scan (C:\|)
Objects scanned: 263926
Time elapsed: 46 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dark Sword\Local Settings\Temp\UACe8aa.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACaqbdhylmro.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UAChhboslvnle.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACorgduqwsse.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\UACobrrfqjotf.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACvrnqngiidp.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACsbcxyehbke.db (Rootkit.TDSS) -> Quarantined and deleted successfully.

Re: Nothing scans even in Safe Mode13th September 2009, 10:48 pm

Hi

Now open a new notepad file.
Input this into the notepad file:

FCopy::
c:\windows\ServicePackFiles\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

Save this as CFscript.txt, save it to your desktop also.
Then drag and drop CFscript.txt into combofix as seen below:
Nothing scans even in Safe Mode Sfxdaw

This will open ComboFix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Re: Nothing scans even in Safe Mode14th September 2009, 12:05 am

Hello DragonMaster Jay,

Here's the ComboFix log:

ComboFix 09-09-13.04 - Dark Sword 3/2009 Sun 18:30.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1535.987 [GMT -5:00]
Running from: c:\documents and settings\Dark Sword\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dark Sword\Desktop\CFscript.txt
AV: avast! antivirus 4.8.1351 [VPS 090913-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
C:\HijackThis.exe
c:\windows\Installer\122efbf.msi
c:\windows\Installer\123cea8.msi
c:\windows\Installer\1c045b3.msi
c:\windows\Installer\1c045bc.msi
c:\windows\Installer\1c045c5.msi
c:\windows\Installer\1cc4e78.msi
c:\windows\Installer\225166e.msi
c:\windows\Installer\2251675.msi
c:\windows\Installer\2ae9e55.msi
c:\windows\Installer\3bc7d8a.msi
c:\windows\run.log
c:\windows\system32\.txt
c:\windows\system32\rotscxlxrjlxbg.dll
c:\windows\system32\rotscxtituwghq.dat
c:\windows\system32\rotscxwbgkcmeu.dat
c:\windows\system32\rotscxxvkyabct.dll
c:\windows\system32\rotscxymixgipj.dll

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_rotscxiqvdbakb
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_rotscxiqvdbakb

((((((((((((((((((((((((( Files Created from 2009-08-13 to 2009-09-13 )))))))))))))))))))))))))))))))
.

2009-09-13 23:04 . 2004-08-04 07:56 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-13 23:04 . 2004-08-04 07:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-09-13 19:05 . 2009-09-13 19:05 574 ----a-w- C:\cleanup.bat
2009-09-13 19:05 . 2009-09-13 19:05 135168 ----a-w- C:\zip.exe
2009-09-13 14:17 . 2009-09-13 14:17 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-09-13 14:16 . 2009-09-13 14:16 30496 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 03:23 . 2009-09-13 03:23 -------- d-----w- C:\Docum
2009-09-12 23:09 . 2009-09-12 23:09 -------- d-----w- c:\documents and settings\Dark Sword\Application Data\Malwarebytes
2009-09-12 23:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 23:09 . 2009-09-13 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 23:09 . 2009-09-12 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-12 23:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-12 23:06 . 2009-09-12 23:06 -------- d-----w- c:\program files\Trend Micro
2009-09-12 23:03 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-12 23:03 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-12 23:03 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-12 23:03 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-12 23:03 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-12 23:03 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-12 23:03 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-12 23:03 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-12 23:03 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-12 21:35 . 2009-09-12 21:35 2855 ----a-w- C:\HijackThis.PIF
2009-09-12 21:20 . 2009-09-12 21:20 -------- d-sh--we c:\windows\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 00:44 . 2009-09-10 00:44 -------- d-----w- c:\program files\iPod
2009-09-10 00:44 . 2009-09-10 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 23:27 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-02 22:42 . 2009-09-02 22:42 -------- d-----w- c:\documents and settings\Dark Sword\del.icio.us
2009-08-26 12:07 . 2009-08-26 12:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-26 11:47 . 2009-08-26 11:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-26 11:44 . 2009-08-26 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-23 22:40 . 2009-08-23 22:40 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 18:49 . 2007-01-14 08:41 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-13 03:50 . 2005-03-04 21:40 -------- d-----w- c:\program files\Trillian
2009-09-10 00:57 . 2003-10-19 00:50 -------- d-----w- c:\documents and settings\Dark Sword\Application Data\Apple Computer
2009-09-10 00:45 . 2007-10-03 02:19 -------- d-----w- c:\program files\iTunes
2009-09-10 00:44 . 2007-10-03 02:18 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 00:41 . 2008-04-05 05:10 -------- d-----w- c:\program files\QuickTime
2009-09-02 00:46 . 2008-07-20 04:01 -------- d-----w- c:\program files\Opera
2009-08-29 22:16 . 2004-06-17 17:13 -------- d-----w- c:\documents and settings\Dark Sword\Application Data\Azureus
2009-08-29 00:42 . 2008-09-09 23:34 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2007-10-03 02:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 11:48 . 2006-08-13 20:57 -------- d-----w- c:\program files\Google
2009-08-21 01:35 . 2004-06-17 17:13 -------- d-----w- c:\program files\Azureus
2009-08-12 00:23 . 2004-07-23 02:55 -------- d-----w- c:\program files\MatroskaProp
2009-08-10 21:28 . 2009-08-10 21:27 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-10 21:26 . 2005-01-23 23:46 -------- d-----w- c:\program files\Matroska
2009-08-10 21:25 . 2004-07-23 02:55 -------- d-----w- c:\program files\Matroska Pack
2009-08-05 09:11 . 2003-07-18 03:09 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-09-23 02:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-01-08 22:23 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2001-08-23 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2001-08-23 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2001-08-23 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2001-08-23 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2001-08-23 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2001-08-23 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2001-08-23 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2001-08-23 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2001-08-23 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2001-08-23 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2001-08-23 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2001-08-23 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2001-08-23 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2001-08-23 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2001-08-23 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2001-08-23 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-10-29 18944]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Dark Sword\\My Documents\\Temp\\Magic\\Manalink.exe"=
"c:\\Program Files\\DOSBox-0.61\\dosbox.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\Dark Sword\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/12/2009 6:03 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/12/2009 6:03 PM 20560]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [7/14/2006 6:21 PM 450400]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
S2 bzqhwe;bzqhwe;c:\windows\system32\drivers\qasymv.sys --> c:\windows\system32\drivers\qasymv.sys [?]
S2 gupdate1ca26435ef08d4;Google Update Service (gupdate1ca26435ef08d4);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 6:47 AM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 EL98x;3Com EtherLink 10/100 PCI;c:\windows\system32\drivers\el98xn5.sys [3/19/2004 10:20 AM 70174]
S3 ldiskl;ldiskl;\??\c:\docume~1\DARKSW~1\LOCALS~1\Temp\ldiskl.sys --> c:\docume~1\DARKSW~1\LOCALS~1\Temp\ldiskl.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-26 11:44]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 11:47]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 11:47]

2009-09-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.egullet.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dark Sword\Application Data\Mozilla\Firefox\Profiles\v2c9i8ii.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://maps.google.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1691.8062\npCIDetect13.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
FF - plugin: c:\program files\Java\jre1.5.0_04\bin\NPOJI610.dll
FF - plugin: c:\program files\Opera7\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Opera7\program\plugins\npdrmv2.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPJava11.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPJava12.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPJava13.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPJava14.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPJava32.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPJPI150_03.dll
FF - plugin: c:\program files\Opera7\program\plugins\NPOJI610.dll
FF - plugin: c:\program files\Opera7\program\plugins\npqtplugin.dll
FF - plugin: c:\program files\Opera7\program\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Opera7\program\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Opera7\program\plugins\npqtplugin4.dll
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{EDB0E980-90BD-11D4-8599-0008C7D3B6F8} - c:\program files\Qualcomm\Eudora\EuShlExt.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 18:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1770027372-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-746137067-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\\P*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"="y"
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\停\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"07243.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\imjp81.ime
c:\windows\system32\imjp81k.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(4056)
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\imjp81.ime
c:\windows\system32\imjp81k.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
c:\windows\system32\shdoclc.dll
c:\windows\IME\imjp8_1\IMJPCIC.DLL
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTXFISPI.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
c:\program files\Creative\ShareDLL\CADI\NotiMan.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\UltraMon\UltraMonTaskbar.exe
.
**************************************************************************
.
Completion time: 2009-09-13 19:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 00:00

Pre-Run: 36,064,641,024 bytes free
Post-Run: 36,073,017,344 bytes free

320 --- E O F --- 2009-09-10 22:40

And here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:04:11 PM, on 9/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIZMO2\GIZMO.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\Copy (2) of HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GIZMO2] C:\Program Files\GIZMO2\GIZMO.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: lid - >IT13H1N0H9IH3-4HTMGAIT4-H4NMH7IHW8PH}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1ca26435ef08d4) (gupdate1ca26435ef08d4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe

--
End of file - 7756 bytes

Re: Nothing scans even in Safe Mode14th September 2009, 12:52 am

Hi

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

DirLook::
c:\Docum
Suspect::
c:\docume~1\DARKSW~1\LOCALS~1\Temp\ldiskl.sys
Driver::
rotscxiqvdbakb

Save this as CFScript.txt, in the same location as ComboFix.exe

Nothing scans even in Safe Mode CFScriptB-4

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==

Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

O18 - Protocol hijack: cdo - >IT00H20MH8IH5-1HT1G8IT{-H0N0HFIH62PH}
O18 - Protocol hijack: its - >IT14H2N1HBIH8-1HT0GAIT{-H000H8IH49PH}
O18 - Protocol hijack: lid - >IT13H1N0H9IH3-4HTMGAIT4-H4NMH7IHW8PH}
O18 - Protocol hijack: tv - {HBIH08PH-MG4I-11H2-MHDIH00PH4MGBIT6P}
O18 - Protocol hijack: wia - >I3{3HANMH9IH7-4H0MGAI76-H2NMHAIHW{PH}

Now close all windows other than HijackThis, then click Fix Checked. Close HijackThis.

==

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

==

Please download DragonFix by DragonMaster Jay, and save it to your Desktop.

Please disable realtime protection. (If any)
Double-click RunFirst.vbs. Follow the prompts and make sure it completes. It will confirm the Restore Point was added.
Double-click DragonFix.reg, and follow the prompt(s).
Please reboot your computer.

==

In your next reply, please post the following logs:

-ComboFix log
-HijackThis log
-Security Checkup log

(You may have to use two posts to place all the information in)

Also, please tell me how your computer is running.

Re: Nothing scans even in Safe Mode14th September 2009, 1:28 am

Hello DragonMaster Jay,

Here are the logs:

ComboFix 09-09-13.04 - Dark Sword 3/2009 Sun 19:57.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.932.81.1033.18.1535.917 [GMT -5:00]
Running from: c:\documents and settings\Dark Sword\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Dark Sword\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1351 [VPS 090913-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-13 23:04 . 2004-08-04 07:56 55808 -c--a-w- c:\windows\system32\dllcache\eventlog.dll
2009-09-13 23:04 . 2004-08-04 07:56 55808 ------w- c:\windows\system32\eventlog.dll
2009-09-13 19:05 . 2009-09-13 19:05 574 ----a-w- C:\cleanup.bat
2009-09-13 19:05 . 2009-09-13 19:05 135168 ----a-w- C:\zip.exe
2009-09-13 14:17 . 2009-09-13 14:17 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\Mozilla
2009-09-13 14:16 . 2009-09-13 14:16 30496 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-13 03:23 . 2009-09-13 03:23 -------- d-----w- C:\Docum
2009-09-12 23:09 . 2009-09-12 23:09 -------- d-----w- c:\documents and settings\Dark Sword\Application Data\Malwarebytes
2009-09-12 23:09 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-12 23:09 . 2009-09-13 20:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-12 23:09 . 2009-09-12 23:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-12 23:09 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-12 23:06 . 2009-09-12 23:06 -------- d-----w- c:\program files\Trend Micro
2009-09-12 23:03 . 2009-08-17 16:04 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-09-12 23:03 . 2009-08-17 16:04 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-09-12 23:03 . 2009-08-17 16:03 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-09-12 23:03 . 2009-08-17 16:06 93392 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-09-12 23:03 . 2009-08-17 16:06 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-09-12 23:03 . 2009-08-17 16:05 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-09-12 23:03 . 2009-08-17 16:05 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-09-12 23:03 . 2009-08-17 16:02 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-09-12 23:03 . 2009-08-17 16:10 1279456 ----a-w- c:\windows\system32\aswBoot.exe
2009-09-12 21:35 . 2009-09-12 21:35 2855 ----a-w- C:\HijackThis.PIF
2009-09-12 21:20 . 2009-09-12 21:20 -------- d-sh--we c:\windows\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 00:44 . 2009-09-10 00:44 -------- d-----w- c:\program files\iPod
2009-09-10 00:44 . 2009-09-10 00:45 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-09 23:27 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-02 22:42 . 2009-09-02 22:42 -------- d-----w- c:\documents and settings\Dark Sword\del.icio.us
2009-08-26 12:07 . 2009-08-26 12:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-08-26 11:47 . 2009-08-26 11:47 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-08-26 11:44 . 2009-08-26 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-23 22:40 . 2009-08-23 22:40 -------- d-----w- c:\program files\Microsoft Silverlight

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 18:49 . 2007-01-14 08:41 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-13 03:50 . 2005-03-04 21:40 -------- d-----w- c:\program files\Trillian
2009-09-10 00:57 . 2003-10-19 00:50 -------- d-----w- c:\documents and settings\Dark Sword\Application Data\Apple Computer
2009-09-10 00:45 . 2007-10-03 02:19 -------- d-----w- c:\program files\iTunes
2009-09-10 00:44 . 2007-10-03 02:18 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 00:41 . 2008-04-05 05:10 -------- d-----w- c:\program files\QuickTime
2009-09-02 00:46 . 2008-07-20 04:01 -------- d-----w- c:\program files\Opera
2009-08-29 22:16 . 2004-06-17 17:13 -------- d-----w- c:\documents and settings\Dark Sword\Application Data\Azureus
2009-08-29 00:42 . 2008-09-09 23:34 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-29 00:42 . 2007-10-03 02:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-26 11:48 . 2006-08-13 20:57 -------- d-----w- c:\program files\Google
2009-08-21 01:35 . 2004-06-17 17:13 -------- d-----w- c:\program files\Azureus
2009-08-12 00:23 . 2004-07-23 02:55 -------- d-----w- c:\program files\MatroskaProp
2009-08-10 21:28 . 2009-08-10 21:27 -------- d-----w- c:\program files\K-Lite Codec Pack
2009-08-10 21:26 . 2005-01-23 23:46 -------- d-----w- c:\program files\Matroska
2009-08-10 21:25 . 2004-07-23 02:55 -------- d-----w- c:\program files\Matroska Pack
2009-08-05 09:11 . 2003-07-18 03:09 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2001-08-23 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-09-23 02:46 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-01-08 22:23 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 07:56 81920 ------w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2001-08-23 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2001-08-23 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2001-08-23 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2001-08-23 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2001-08-23 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2001-08-23 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2001-08-23 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2001-08-23 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2001-08-23 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2001-08-23 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2001-08-23 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2001-08-23 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-22 11:49 . 2001-08-23 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2001-08-23 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2001-08-23 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2001-08-23 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-16 14:55 . 2001-08-23 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2001-08-23 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\Docum ----

2009-09-13 03:23 . 2009-09-13 03:23 32768 ----a-w- c:\docum\Local Settings\History\History.IE5\MSHist012009091220090913\index.dat
2009-09-13 03:23 . 2009-09-13 03:23 654 ----a-w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\G9Y7016N\ac[1].htm
2009-09-13 03:23 . 2009-09-13 03:23 16384 ----a-w- c:\docum\Cookies\index.dat
2009-09-13 03:23 . 2009-09-13 03:23 113 --sh--w- c:\docum\Local Settings\History\History.IE5\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 32768 ----a-w- c:\docum\Local Settings\History\History.IE5\index.dat
2009-09-13 03:23 . 2009-09-13 03:23 67 --sh--w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\CX23C167\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 67 --sh--w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\OHYR4LYZ\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 113 --sh--w- c:\docum\Local Settings\History\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 67 --sh--w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 32768 ----a-w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\index.dat
2009-09-13 03:23 . 2009-09-13 03:23 67 --sh--w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\G9Y7016N\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 67 --sh--w- c:\docum\Local Settings\Temporary Internet Files\Content.IE5\SXABC5UF\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 67 --sh--w- c:\docum\Local Settings\Temporary Internet Files\desktop.ini
2009-09-13 03:23 . 2009-09-13 03:23 122 --sha-w- c:\docum\Favorites\Desktop.ini

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Jet Detection"="c:\program files\Creative\SBLive\PROGRAM\ADGJDet.exe" [2001-11-29 28672]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-13 344064]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]
"GIZMO2"="c:\program files\GIZMO2\GIZMO.exe" [2008-11-17 2229512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-09 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"WINDVDPatch"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2005-10-29 18944]
"CTHelper"="CTHELPER.EXE" - c:\windows\system32\CTHELPER.EXE [2002-07-03 24576]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\jre1.5.0_04\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Dark Sword\\My Documents\\Temp\\Magic\\Manalink.exe"=
"c:\\Program Files\\DOSBox-0.61\\dosbox.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Documents and Settings\\Dark Sword\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [9/12/2009 6:03 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/12/2009 6:03 PM 20560]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 9:22 PM 11776]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [7/14/2006 6:21 PM 450400]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 9:23 PM 3584]
S2 bzqhwe;bzqhwe;c:\windows\system32\drivers\qasymv.sys --> c:\windows\system32\drivers\qasymv.sys [?]
S2 gupdate1ca26435ef08d4;Google Update Service (gupdate1ca26435ef08d4);c:\program files\Google\Update\GoogleUpdate.exe [8/26/2009 6:47 AM 133104]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S3 EL98x;3Com EtherLink 10/100 PCI;c:\windows\system32\drivers\el98xn5.sys [3/19/2004 10:20 AM 70174]
S3 ldiskl;ldiskl;\??\c:\docume~1\DARKSW~1\LOCALS~1\Temp\ldiskl.sys --> c:\docume~1\DARKSW~1\LOCALS~1\Temp\ldiskl.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-07-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-09-13 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-26 11:44]

2009-09-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 11:47]

2009-09-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-26 11:47]

2009-09-13 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://forums.egullet.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Dark Sword\Application Data\Mozilla\Firefox\Profiles\v2c9i8ii.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://maps.google.com/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-746137067-1770027372-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-746137067-1770027372-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\\P*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"="y"
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\停\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"07243.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\imjp81.ime
c:\windows\system32\imjp81k.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(1212)
c:\program files\UltraMon\RTSUltraMonHook.dll
c:\windows\system32\imjp81.ime
c:\windows\system32\imjp81k.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
c:\windows\system32\shdoclc.dll
c:\windows\IME\imjp8_1\IMJPCIC.DLL
c:\program files\UltraMon\Resources\en\RTSUltraMonHookRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-09-14 20:14
ComboFix-quarantined-files.txt 2009-09-14 01:14
ComboFix2.txt 2009-09-14 00:00

Pre-Run: 36,060,852,224 bytes free
Post-Run: 36,016,898,048 bytes free

258 --- E O F --- 2009-09-10 22:40

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:17:21 PM, on 9/13/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\GIZMO2\GIZMO.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Entertainment Center\EAXLoadr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Trend Micro\HijackThis\Copy (2) of HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RCSystem] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" RCSystem * -Startup
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [GIZMO2] C:\Program Files\GIZMO2\GIZMO.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: cdo - >00
20
8
5-1
1 8-
00
F
62
}
O18 - Protocol hijack: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol hijack: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol hijack: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol hijack: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B}
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol hijack: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B}
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\WINDOWS\system32\mshtml.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\system32\mshtml.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Update Service (gupdate1ca26435ef08d4) (gupdate1ca26435ef08d4) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe

--
End of file - 8505 bytes

Continued in the next post...

Re: Nothing scans even in Safe Mode14th September 2009, 1:30 am

Here's the SecurityCheck log:

Results of screen317's Security Check version 0.98.9
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
avast! Antivirus

Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Out of date Spybot installed!
Spybot - Search & Destroy 1.4
Spybot - Search & Destroy
Windows Defender
Malwarebytes' Anti-Malware
HijackThis 2.0.2
Java Web Start
Adobe Flash Player 10
Adobe Reader 7.0.9
Adobe Reader Japanese Fonts
``````````````````````````````
Process Check:
objlist.exe by Laurent
Windows Defender MsMpEng.exe is disabled!
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe

``````````````````````````````
DNS Vulnerability Check:
GOOD! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

It looks like my computer is close to running as quickly as it was before I got hit with the virus, at least as far as I can tell.

Re: Nothing scans even in Safe Mode14th September 2009, 2:51 am

Hi

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

==

Please navigate to the Control Panel, enter Add or Remove programs, and remove the following:

-All versions of Adobe reader
-Spybot Search & Destroy (Install the latest later)(If you use Windows Defender, then Spybot is not needed)

==

Adobe Acrobat Reader is out of date.

Please download the newest version from here: [url="http://www.adobe.com/products/acrobat/readstep2.html"]http://www.adobe.com/products/acrobat/readstep2.html[/url]

==

!! Your security programs are not enabled properly. Please re-enable avast! real-time scanning, and re-enable Windows Defender. If you choose to use Spybot, please uninstall Windows Defender. !!

==

In your next reply, please tell me how the updates went. This is important because if you had any problems updating, it could be a sign of more malware.

Re: Nothing scans even in Safe Mode15th September 2009, 12:53 am

Hello DragonMaster Jay,

I've updated my version of Spybot S&D, as well as my copy of Adobe Acrobat Reader.

I had my Avast! real-time scanning turned off to run a couple of the programs as instructed in the last post, it's been turned back on now.

The only thing I have yet to do is upgrade to SP3. I'll be looking into that.

Thanks again for all of your help. It looks like my computer is at this point virus free, an Avast! scan doesn't turn up anything suspicious.

I do have one question for you, was it something specific in the SystemLook file that prompted you to target eventlog.dll with Avenger.exe or was it just previous experience?

Re: Nothing scans even in Safe Mode15th September 2009, 1:30 am

Hi

Actually, when you did the scans with SystemLook and The Avenger, it found info took care of a system file that was infected. Then, ComboFix replaced the damaged system file. Since the system file got infected, it had to be manually repaired, because it is a new method from malware writers to hurt people's computers.

Hooray!

Your computer is clean!
==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

Firewall

Tallemu Online Armor: the free version is just as good as the premium. I have linked you to the free version.
Comodo Firewall: the free version is just as good as the premium. I have linked you to the free version. The optional security suite enhances the firewall by 40% increase. If you would like to install the suite that includes antivirus, then remove your old antivirus first.
PC Tools Firewall Plus: free and excellent firewall.

AntiSpyware

SpywareBlaster
SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
Spybot - Search & Destroy.
Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

Firefox may be downloaded from here: http://www.getfirefox.com
Opera is available here: http://www.opera.com/download/

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Re: Nothing scans even in Safe Mode16th September 2009, 2:10 am

Hello DragonMaster Jay,

Thanks. I'm using Anti-Spyware programs and my default browser is Opera. I'll look into the firewalls, I think they'd be a great help.

Also dropped some change in the hat for all of your help. Thanks again, and keep up the good fight!

Re: Nothing scans even in Safe Mode16th September 2009, 2:37 am

Thank you much.

Stay safe!

Since this issue appears to be solved, this topic is now closed and being marked solved.

If you need the topic reopened, PM an administrator, moderator, or staff.

Nothing scans even in Safe Mode

descriptionNothing scans even in Safe Mode12th September 2009, 11:44 pm

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 1:33 am

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 3:31 am

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 3:38 am

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 3:57 pm

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 6:06 pm

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 6:19 pm

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 6:59 pm

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 10:12 pm

descriptionRe: Nothing scans even in Safe Mode13th September 2009, 10:48 pm

descriptionRe: Nothing scans even in Safe Mode14th September 2009, 12:05 am

descriptionRe: Nothing scans even in Safe Mode14th September 2009, 12:52 am

descriptionRe: Nothing scans even in Safe Mode14th September 2009, 1:28 am

descriptionRe: Nothing scans even in Safe Mode14th September 2009, 1:30 am

descriptionRe: Nothing scans even in Safe Mode14th September 2009, 2:51 am

descriptionRe: Nothing scans even in Safe Mode15th September 2009, 12:53 am

descriptionRe: Nothing scans even in Safe Mode15th September 2009, 1:30 am

descriptionRe: Nothing scans even in Safe Mode16th September 2009, 2:10 am

descriptionRe: Nothing scans even in Safe Mode16th September 2009, 2:37 am

descriptionRe: Nothing scans even in Safe Mode