Mcafee and Malware won't scan

Neither McAfee nor Malware is able to scan my computer for viruses. When I try to start a scan in McAfee, it just gives me an error that says "error starting on demand scanner." Malware just shuts down and can't be reopened. I am reasonably certain that my computer has a virus. I have seen other posts that request a SystemLook report, so I got one:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:29 on 31/10/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [14:45 24/06/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6002.18005_none_39f95b67d63d3a5e\scecli.dll --a--- 177152 bytes [02:18 17/09/2009] [06:28 11/04/2009] 8FC182167381E9915651267044105EE1
C:\Windows\System32\scecli.dll --a--- 177152 bytes [17:20 01/09/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [17:20 01/09/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9

Searching for "netlogon.dll"
C:\Windows\SoftwareDistribution\Download\b2ee164db645e6bc8d77bb51f082e3b3\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [14:47 24/06/2008] [07:35 19/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\SoftwareDistribution\Download\cd2b15b1a90e884578188440a1660b12\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6002.18005_none_ffa3304f351bb3a3\netlogon.dll --a--- 592896 bytes [02:18 17/09/2009] [06:28 11/04/2009] 95DAECF0FB120A7B5DA679CC54E37DDE
C:\Windows\System32\netlogon.dll --a--- 592384 bytes [17:23 01/09/2008] [07:35 19/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6000.16386_none_fb80f5473b0ed783\netlogon.dll --a--- 559616 bytes [08:45 02/11/2006] [09:46 02/11/2006] 889A2C9F2AACCD8F64EF50AC0B3D553B
C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.0.6001.18000_none_fdb7b74337f9e857\netlogon.dll --a--- 592384 bytes [17:23 01/09/2008] [07:35 19/01/2008] A8EFC0B6E75B789F7FD3BA5025D4E37F

Searching for "eventlog.dll"
No files found.

Searching for "cngaudit.dll"
C:\Windows\System32\cngaudit.dll --a--- 61952 bytes [01:57 01/01/1601] [05:08 26/09/1636] (Unable to calculate MD5)
C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll --a--- 11776 bytes [08:43 02/11/2006] [09:46 02/11/2006] 7F15B4953378C8B5161D65C26D5FED4D

-=End Of File=-

If anybody knows where to go from here, I'd appreciate it.

Please download ComboFix from BleepingComputer.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista. Just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

Okay, here's the log from the combofix. I had to run combofix twice because the first time, the computer restarted on its own, and didn't produce anything at all. Plus, I don't know if this was supposed to happen, but now I can't open up my web browsers. It says, " Illegal operation attempted on a registry key that has been marked for deletion." I had to post this through a different computer.

ComboFix 09-10-30.01 - Owner 11/01/2009 13:24.2.2 - NTFSx86
Microsoft Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3063.2033 [GMT -6:00]
Running from: c:\users\Owner\Desktop\commy.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2733014286-607279091-1391130181-500
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\system32\AutoRun.inf
c:\windows\system32\logs
c:\windows\system32\logs\Settings.dat
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-10-01 to 2009-11-01 )))))))))))))))))))))))))))))))
.

2009-11-01 19:30 . 2009-11-01 19:33 -------- d-----w- c:\users\Owner\AppData\Local\temp
2009-11-01 19:30 . 2009-11-01 19:30 -------- d-----w- c:\users\Guest\AppData\Local\temp
2009-11-01 19:30 . 2009-11-01 19:30 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-11-01 19:24 . 2008-01-19 07:41 21560 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-31 19:31 . 2009-10-31 19:31 -------- d-----w- c:\windows\McAfee.com
2009-10-31 19:03 . 2009-10-31 19:03 -------- d-----w- c:\users\Owner\AppData\Local\Deployment
2009-10-31 16:58 . 2009-10-31 16:58 -------- d-----w- C:\mfe
2009-10-31 16:47 . 2009-10-31 16:47 -------- d-----w- c:\programdata\Citrix
2009-10-31 16:36 . 2009-10-31 16:36 -------- d-----w- c:\program files\Citrix
2009-10-31 16:36 . 2009-10-31 16:36 -------- d-----w- c:\users\Owner\AppData\Local\Citrix
2009-10-31 16:36 . 2009-10-31 16:36 61224 ----a-w- c:\users\Owner\GoToAssistDownloadHelper.exe
2009-10-31 16:22 . 2009-10-31 16:22 -------- d-----w- c:\users\Owner\AppData\Roaming\McAfee
2009-10-29 13:28 . 2009-10-29 13:28 -------- d-----w- c:\windows\Sun
2009-10-29 13:21 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-29 13:21 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-29 13:21 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-29 13:21 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-29 13:20 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-29 13:20 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-29 13:20 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-29 13:20 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-29 13:20 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-10-29 04:47 . 2009-10-31 18:08 0 ----a-r- c:\windows\win32k.sys
2009-10-28 12:50 . 2009-09-10 15:21 310784 ----a-w- c:\windows\system32\unregmp2.exe
2009-10-28 12:50 . 2009-09-10 15:21 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-10-16 17:44 . 2009-08-31 13:55 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-10-16 17:44 . 2009-09-04 12:24 61440 ----a-w- c:\windows\system32\msasn1.dll
2009-10-16 17:44 . 2009-09-14 09:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-16 17:44 . 2009-04-02 12:37 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-03 13:02 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-31 22:45 . 2007-08-25 17:17 -------- d-----w- c:\programdata\McAfee
2009-10-31 22:45 . 2009-05-17 15:54 -------- d-----w- c:\program files\McAfee
2009-10-29 20:48 . 2008-10-24 23:15 1356 ----a-w- c:\users\Owner\AppData\Local\d3d9caps.dat
2009-10-27 02:56 . 2009-05-16 00:48 -------- d-----w- c:\users\Owner\AppData\Roaming\Skype
2009-10-26 21:00 . 2009-05-16 00:54 -------- d-----w- c:\users\Owner\AppData\Roaming\skypePM
2009-10-17 08:15 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-10-17 08:05 . 2007-08-25 16:52 -------- d-----w- c:\programdata\Microsoft Help
2009-10-17 08:04 . 2007-08-25 16:53 -------- d-----w- c:\program files\Microsoft Works
2009-10-11 13:16 . 2007-12-08 22:09 101856 ----a-w- c:\users\Owner\AppData\Local\GDIPFONTCACHEV1.DAT
2009-09-26 03:08 . 2009-09-25 21:41 -------- d-----w- c:\program files\TS
2009-09-26 02:57 . 2009-09-26 02:57 -------- d-----w- c:\users\Owner\AppData\Roaming\Malwarebytes
2009-09-26 02:57 . 2009-09-26 02:57 -------- d-----w- c:\programdata\Malwarebytes
2009-09-25 21:13 . 2008-04-05 16:01 -------- d-----w- c:\users\Owner\AppData\Roaming\Move Networks
2009-09-22 13:58 . 2009-09-22 13:51 -------- d-----w- c:\users\Owner\AppData\Roaming\HpUpdate
2009-09-22 13:58 . 2009-09-22 13:56 116839 ----a-w- c:\windows\hpqins00.dat
2009-09-16 15:22 . 2009-05-17 15:54 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-09-16 15:22 . 2009-05-17 15:54 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-09-16 15:22 . 2009-05-17 15:54 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-09-16 15:22 . 2009-05-17 15:51 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
2009-09-11 03:16 . 2009-03-14 01:50 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 17:30 . 2009-10-16 17:45 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-31 13:55 . 2009-10-16 17:45 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-08-28 12:39 . 2009-09-02 22:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 22:38 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-27 13:32 . 2009-10-16 17:45 833024 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 13:29 . 2009-10-16 17:45 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-08-27 10:58 . 2009-10-16 17:45 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-18 04:33 . 2009-08-18 04:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 17:07 . 2009-09-10 14:11 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-10 14:11 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-10 14:11 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-10 14:11 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-10 14:11 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-10 14:11 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-10 14:11 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-10 14:11 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-10 14:11 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-10 14:11 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-05 14:22 . 2009-10-16 17:45 3597896 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:22 . 2009-10-16 17:45 3546184 ----a-w- c:\windows\system32\ntoskrnl.exe
.

------- Sigcheck -------

[-] 1636-09-26 05:08 . 6CD7F13B1F144218B0CBF0FBC8ACC564 . 61952 . . [------] . . c:\windows\System32\cngaudit.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-01-03 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-01-03 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-01-03 133656]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]
"Skytel"="Skytel.exe" - c:\windows\SkyTel.exe [2007-06-15 1826816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-04 40072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Billminder.lnk - c:\program files\Quicken\billmind.exe [2002-9-20 36864]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2002-9-20 53248]
Quicken Startup.lnk - c:\program files\Quicken\QWDLLS.EXE [2002-9-20 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"="
"
"FirewallOverride"="
"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

R2 MotorolaDAP;Motorola Digital Audio Player Manager;c:\windows\System32\MotorolaDAP.exe [9/28/2004 12:04 PM 270336]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\System32\drivers\athrusb.sys [3/13/2009 1:04 PM 451072]
S3 athrusb6;Atheros Wireless LAN USB device driver 6 Series;c:\windows\System32\drivers\athru6.sys [7/5/2007 1:57 AM 873472]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 4:25 AM 2589184]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2006-08-29 19:21]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&SubCH=nofound&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5622
Trusted Zone: internet
Trusted Zone: mcafee.com
FF - ProfilePath - c:\users\Owner\AppData\Roaming\Mozilla\Firefox\Profiles\56po4uhx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official|http://www.tvguide.com/Listings/default.aspx
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\users\Owner\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-TS - c:\program files\TS\tsc.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 13:34
Windows 6.0.6001 Service Pack 1 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\DRIVERS\xaudio.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\\?\c:\windows\system32\wbem\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2009-11-01 13:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-01 19:35

Pre-Run: 337,786,920,960 bytes free
Post-Run: 337,429,803,008 bytes free

- - End Of File - - DBA4F49946795A3488BD454F2D6A17DA

Thanks for your help so far.

So since posting, I realized I can't seem to open any .exe files anymore. I've tried several programs and they all give me the same error.

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\SMINST\launcher.exe

Do the same for these two files:

C:\windows\system32\cngaudit.dll
C:\windows\explorer.exe

Then click submit.

Please post the results (URL) to your next reply.

Okay, here are the results from the website:

http://www.virustotal.com/reanalisis.html?9cd5ab7fb2ffb3965506a21c2c8b1b77f1eb9d25363fa2187fd5e70e82caa086-1257134081
http://www.virustotal.com/reanalisis.html?8488a675b180d1ec71e6e3a3858f93c356bc042fe3becf46a125565ca491fa04-1257134350
http://www.virustotal.com/reanalisis.html?178d20aaecbd408dffda71ae4d70ad61c278229b4cd7dcd7b854a9a8404ca657-1257134454

By the way, restarting my computer again fȋxed the problem with not being able to run programs. Thanks for your help!

DragonMaster Jay wrote:

Please go HERE. Copy and paste the following file path in to the box.

c:\windows\SMINST\launcher.exe

Do the same for these two files:

C:\windows\system32\cngaudit.dll
C:\windows\explorer.exe

Then click submit.

Please post the results (URL) to your next reply.

Hi. Please redo this process. Sorry I forgot to tell you...re-scan the file. It will tell you it has already been analyzed, but re-scan, please.

Then, post the URL of each result. Thanks.

http://www.virustotal.com/analisis/9cd5ab7fb2ffb3965506a21c2c8b1b77f1eb9d25363fa2187fd5e70e82caa086-1257170596
http://www.virustotal.com/analisis/8488a675b180d1ec71e6e3a3858f93c356bc042fe3becf46a125565ca491fa04-1257170812
http://www.virustotal.com/analisis/178d20aaecbd408dffda71ae4d70ad61c278229b4cd7dcd7b854a9a8404ca657-1257170906

That second one looks bad...

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   File::
   c:\windows\System32\cngaudit.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

==

Next

Go Start type in CMD and right-click on it in the results pane and select Run as Administrator.
Type in: sfc /scannow
Press enter.
It will probably ask for your Windows Vista DVD, please place it in the drive.

After the first run, reboot your computer. Do a second run. Now the scan and fix is finished.

So I feel retarded. I was following your instructions, but forgot to save the notepad log from the ComboFix run. So now it is lost from when I restarted the computer. The CMD program gave me the same response after both times:

Verification 100% complete
Windows Resource Protection found corrupt files but was unable to fix some of them.
DDetails are included in the CBS.Log windir\Logs\CBS\CBS.log For example
C:\Windows\Logs\CBS\CBS.log

I tried to open up CBS.log so I could paste it here for you to see, but it said "access denied." I did not rerun ComboFix (by dragging the notepad file) because I didn't know if I should. Let me know if I've totally screwed things up now.

Thanks a lot

One more thing, I looked in the Windows32 folder, and cngaudit.dll was not there anymore. I don't know if that means my computer is clean or what.

Were you able to use the Windows DVD with SFC?

If not, then I can upload that system file. CNGAUDIT.dll is an important part of Windows Vista. The malicious software on your system had infected the system file, preventing it to not function properly.

It didn't ask me to insert the DVD. I guess I thought I was supposed to wait until prompted. So no, I didn't use the DVD. Not to mention, I can't seem to find my OS DVD anywhere. I have the one for my laptop, but not my desktop which is the computer we've been working on

Ok. No big deal.

Please download and SAVE this file to your Desktop: http://hmoslabs.webs.com/cngaudit.dll

Then, right-click on the File and select Cut.

Then, go to C:\Windows\System32

and in some white area, right-click and select Paste.

When finished, you should see CNGAUDIT.dll located in that System32 folder.

i guess it was already there and it won't let me replace the existing one because it is in use. anything else i need to do? everything seems to be running smoothly now.

It must be replaced, because the current one is infected:::

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl C):

Files to delete:
C:\WINDOWS\system32\cngaudit.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

==

Then, do the process above to place the new CNGAUDIT.dll in to the System32 folder.

Here's the log from Avenger:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\cngaudit.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

I also added the file as you outlined.

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

How is your computer running?

Results of screen317's Security Check version 0.99.0
Windows Vista Service Pack 1 (UAC is enabled)
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee SecurityCenter
McAfee Virtual Technician
WMIC entry does not exist for antivirus; attempting automatic update.
``````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 15
Java(TM) SE Runtime Environment 6 Update 1
Java(TM) 6 Update 5
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 9
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````



My computer seems to be running well now.

Please consider updating to Windows Vista Service Pack 2 (SP2).
Windows Vista Service Pack 2 (SP2) contains all the updates released since SP1 plus support for new types of hardware and emerging hardware standards.
It is now available via Windows Update or as a standalone installation here.

==

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

Yeah, one more question. McAfee claims to have antispyware. Should I install those antispyware programs you recommended in addition to using McAfee?

No need to. McAfee should do.