Malware removed, still unable to load windows normally

Hello.

Submit a file for analysis.

1. Please visit this website: Jotti's Malware Scanner
   
2. Press the "Browse" button and locate the following file in bold:
   C:\WINDOWS\system32\drivers\phooks.sys
   
3. Press the "Submit File button to submit the file for analysis.
   
4. Allow it to be scanned, it could take a few minutes depending on server load.
   
5. Copy and paste the result back here.
   

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.
--------------------------------------------------------------------------------
Filename: A0158062.sys
Status: Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sun 10 Jan 2010 18:48:39 (CET) Permalink

--------------------------------------------------------------------------------
Additional info
File size: 23552 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: bf017d9a12d049fde1591f9f96c63431
SHA1: e0632f3e62c00445d4b514a5f254b3b00dcab8d4

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   SecCenter::
   {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
   
   Folder::
   c:\documents and settings\All Users\Application Data\Viewpoint
   
   Driver::
   0057561267251205mcinstcleanup
   

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

After starting ComboFix, the blue window popped up, then a windows message window popped up stating that there was an updated version of ComboFix, and asked me if I wanted to install it. I selected "No" and continued with your instructions.

Here is the resulting log:

ComboFix 10-03-02.08 - Administrator 03/03/2010 19:03:18.2.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1757 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0057561267251205MCINSTCLEANUP
-------\Service_0057561267251205mcinstcleanup


((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 )))))))))))))))))))))))))))))))
.

2010-03-03 14:08 . 2010-03-03 14:16 -------- d-----w- C:\Combo-Fix
2010-03-01 11:35 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-01 11:35 . 2010-03-01 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-01 11:35 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-01 11:12 . 2010-03-01 11:12 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{74D08EB8-01D1-4BAE-91E3-F30C1B031AC6}
2010-03-01 11:10 . 2010-03-01 11:21 -------- d-----w- C:\ComboFix
2010-02-28 19:08 . 2010-02-28 19:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-02-28 00:46 . 2010-02-28 00:46 23552 ----a-w- c:\windows\system32\drivers\phooks.sys
2010-02-28 00:46 . 2010-02-28 00:46 -------- d-----w- c:\documents and settings\HP_Administrator\Pavark
2010-02-28 00:42 . 2010-02-28 00:42 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\Threat Expert
2010-02-27 23:18 . 2010-02-27 23:18 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2010-02-27 23:18 . 2010-02-27 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-27 20:05 . 2010-02-27 20:05 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-02-27 20:03 . 2010-02-27 20:07 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-27 19:42 . 2010-02-27 19:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\GlarySoft
2010-02-27 19:37 . 2010-02-27 19:37 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-02-27 05:58 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-27 00:15 . 2010-02-27 00:15 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2010-02-27 00:15 . 2010-02-27 00:15 -------- d-----w- c:\program files\CCleaner
2010-02-26 23:49 . 2010-02-27 06:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2010-02-26 20:10 . 2010-02-26 20:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-02-26 20:10 . 2010-02-26 23:47 -------- d-----w- c:\program files\Enigma Software Group
2010-02-26 20:10 . 2010-02-28 19:12 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-26 20:06 . 2010-02-26 20:06 -------- d-----w- c:\documents and settings\Administrator\Application Data\U3
2010-02-26 20:05 . 2010-02-26 20:05 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-01 11:35 . 2010-03-01 11:35 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-02-28 19:09 . 2008-07-25 19:16 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-27 20:01 . 2006-05-28 07:20 60384 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-27 19:10 . 2007-08-06 02:23 -------- d-----w- c:\program files\McAfee
2010-02-27 06:21 . 2006-05-28 07:43 -------- d-----w- c:\program files\Google
2009-12-21 19:16 . 2009-12-21 19:16 48644 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-19 19:42 . 2008-12-07 23:55 39 ----a-w- c:\documents and settings\HP_Administrator\jagex_runescape_preferences.dat
2009-12-19 19:29 . 2009-09-03 22:38 69 ----a-w- c:\documents and settings\HP_Administrator\jagex_runescape_preferences2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"Pando Media Booster"="c:\program files\Pando Networks\Media Booster\PMB.exe" [2009-12-23 2935480]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-05-28 180269]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 28160]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-10-13 139264]
"HPHUPD08"="c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 49152]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"HostManager"="c:\program files\Common Files\AOL\1231549752\ee\AOLSoftware.exe" [2009-03-12 41264]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdMgr.exe" [2006-03-16 61440]
"DISCover"="c:\program files\DISC\DISCover.exe" [2006-03-16 1077248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 282624]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-1-31 450560]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-5-28 36903]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Microsoft Games\\Zoo Tycoon 2\\zt.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\1231549752\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.2.0-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"56401:TCP"= 56401:TCP:Pando Media Booster
"56401:UDP"= 56401:UDP:Pando Media Booster

R0 phooks;phooks;c:\windows\system32\drivers\phooks.sys [2/27/2010 6:46 PM 23552]
S2 gupdate1c9b58184098b34;Google Update Service (gupdate1c9b58184098b34);c:\program files\Google\Update\GoogleUpdate.exe [4/4/2009 6:00 PM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder

2010-01-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 17:34]

2010-03-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 00:00]

2010-03-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-05 00:00]

2009-11-15 c:\windows\Tasks\McDefragTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-06 17:22]

2009-01-01 c:\windows\Tasks\McQcTask.job
- c:\program files\mcafee\mqc\QcConsol.exe [2007-08-06 17:22]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
IE: &Google Search
IE: &Translate English Word
IE: Backward Links
IE: Cached Snapshot of Page
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages
IE: Translate Page into English
Trusted Zone: trymedia.com
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-03 20:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-423021858-2121229421-4078344496-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,d1,7b,7e,2e,3e,44,41,bf,56,b4,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d6,d1,7b,7e,2e,3e,44,41,bf,56,b4,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\igfxsrvc.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2010-03-03 20:23:44 - machine was rebooted
ComboFix-quarantined-files.txt 2010-03-04 02:23
ComboFix2.txt 2010-03-03 14:16

Pre-Run: 244,261,949,440 bytes free
Post-Run: 244,113,182,720 bytes free

- - End Of File - - E4575BD400107BA2E34CEF16F1FA45FD

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?

Still won't boot to the desktop properly under normal startup. Can access the desktop in safe mode. On normal startup, get black screen - used to be desktop background wallpaper of default user, but I put a password on that user to prevent the computer from logging on automatically until the issue is resolved - not comfortable with it being on my network if virus/malware is still running on it. So now, instead of getting the default user's background, and nothing else, I just get a black screen. Seems as if something is preventing the computer from displaying windows.