Shut Down by Trojan Horse Downloader.Agent2.SNU HELP!

No. It attempts to open windowXP and then restarts and will loop back to the same screen "We apologize for the inconvenience, but windows did not start successfully recent hardware or software change may have caused this"

Thanks.

Hello.
When booting, start tapping the F8 key to open the advanced boot menu.

Choose the option that says "Last Known Good Configuration" and see if you can boot now.

B.

I selected the "Last known good configuration" but it continues the same loop back to the same page without opening Windows XP. I feel terrible about shooting myself in the foot after all of your outstanding and brilliant efforts to help me through this nightmare.

Any other options?

D.

Hello.
Do you have your XP disc?

yes, I have the XP disk (Re installation CD MXP Home Edition Service Pack 2) that came with my Dell laptop but will it work on my infected PC?

B.

Should I try to load the disk?

Yes please.

I inserted the Windows XP CD in the PC and rebooted but the reinstallation does not start. It continues the same loop as before.

When I attempted to run setup, I got this message:

"Setup could not continue because the version on windows is newer than my CD. To erase the newer version and install the older version, restart the computer and boot from CD"

It won't start the installation because of the continual loop.

Thanks.

Hello.
When prompted, did you type R for repair install?

Belahzur,

We're back in business, I was able to do a system restore point to May 21st and then tried the combofix as directed. However, the combofix did not produce a log, it started the same loop again even though I did it right this time. Can you fix the internet connection without the combofix step?

Thanks!

Re-Run OTL and post the new log.

Okay.

Belahzur,

Here's the OTL log:
OTL logfile created on: 5/31/2010 9:44:48 PM - Run 3
OTL by OldTimer - Version 3.2.4.1 Folder = H:\
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.11)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

511.00 Mb Total Physical Memory | 204.00 Mb Available Physical Memory | 40.00% Memory free
1.00 Gb Paging File | 1.00 Gb Available in Paging File | 75.00% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.52 Gb Total Space | 52.15 Gb Free Space | 69.98% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
Drive H: | 1.86 Gb Total Space | 0.00 Gb Free Space | 0.00% Space Free | Partition Type: FAT
I: Drive not present or media not loaded

Computer Name: CUSTOMCOMPUTER
Current User Name: User1
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/14 11:21:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- H:\OTL.exe
PRC - [2010/04/15 08:25:20 | 001,872,320 | ---- | M] (Emsi Software GmbH) -- C:\Program Files\a-squared Free\a2service.exe
PRC - [2010/03/25 17:15:38 | 001,940,544 | ---- | M] (CallWave, Inc.) -- C:\Program Files\CallWave\IAM.exe
PRC - [2010/03/15 09:02:27 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/01/21 17:11:36 | 000,184,320 | ---- | M] () -- C:\Program Files\AMT Media Manager\AMTDeviceService.exe
PRC - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2007/08/09 14:56:26 | 000,388,936 | ---- | M] (Webroot Software, Inc.) -- C:\Program Files\Webroot\Washer\WasherSvc.exe
PRC - [2007/06/05 17:23:28 | 000,561,152 | ---- | M] (Lavasoft AB) -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
PRC - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Defender\MsMpEng.exe
PRC - [2004/12/29 07:01:56 | 000,544,768 | ---- | M] (Motorola Inc.) -- C:\WINDOWS\sm56hlpr.exe
PRC - [2003/11/18 14:11:04 | 000,565,248 | R--- | M] (VIA Technologies) -- C:\Program Files\VIA\RAID\raid_tool.exe
PRC - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


========== Modules (SafeList) ==========

MOD - [2010/05/31 21:28:23 | 000,163,840 | ---- | M] () -- C:\Program Files\CallWave\CWIdle.dll
MOD - [2010/05/14 11:21:04 | 000,570,880 | ---- | M] (OldTimer Tools) -- H:\OTL.exe
MOD - [2008/04/13 20:10:20 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2010/04/15 08:25:20 | 001,872,320 | ---- | M] (Emsi Software GmbH) [Auto | Running] -- C:\Program Files\a-squared Free\a2service.exe -- (a2free)
SRV - [2008/11/09 16:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2007/08/09 14:56:26 | 000,388,936 | ---- | M] (Webroot Software, Inc.) [Auto | Running] -- C:\Program Files\Webroot\Washer\WasherSvc.exe -- (wwEngineSvc)
SRV - [2007/06/05 17:23:28 | 000,561,152 | ---- | M] (Lavasoft AB) [Auto | Running] -- C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe -- (aawservice)
SRV - [2006/11/03 19:19:58 | 000,013,592 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MsMpEng.exe -- (WinDefend)
SRV - [2002/09/20 16:50:10 | 000,045,056 | ---- | M] (Analog Devices, Inc.) [Auto | Running] -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default))


========== Driver Services (SafeList) ==========

DRV - [2008/04/13 14:45:12 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/07/19 15:10:28 | 000,127,768 | ---- | M] (Kaspersky Lab) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\klif.sys -- (KLIF)
DRV - [2007/03/22 13:57:14 | 000,028,672 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\elagopro.sys -- (elagopro)
DRV - [2007/03/22 13:57:14 | 000,005,376 | --S- | M] (Gteko Ltd.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\elaunidr.sys -- (elaunidr)
DRV - [2006/02/21 20:46:26 | 001,505,792 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2005/09/19 08:41:00 | 000,241,280 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\yk51x86.sys -- (yukonwxp)
DRV - [2005/01/11 08:25:10 | 000,923,826 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\smserial.sys -- (smserial)
DRV - [2003/10/31 11:22:38 | 000,077,312 | R--- | M] (VIA Technologies inc,.ltd) [Kernel | Boot | Running] -- C:\WINDOWS\system32\DRIVERS\viasraid.sys -- (viasraid)
DRV - [2001/08/17 13:57:38 | 000,016,128 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page =
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.aol.com/
IE - HKCU\..\URLSearchHook: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" =
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:5555

========== FireFox ==========


FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/03/15 09:05:03 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/04/05 23:59:27 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/08 19:14:04 | 000,000,000 | ---D | M]

[2009/12/29 17:00:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Extensions
[2009/07/01 19:21:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Extensions\mozswing@mozswing.org
[2010/05/12 22:29:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions
[2009/08/22 22:09:59 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/11 10:24:13 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2008/05/17 17:12:31 | 000,000,000 | ---D | M] (Sothink Web Video Downloader for Firefox) -- C:\Documents and Settings\User1\Application Data\Mozilla\Firefox\Profiles\aqsjgtw3.default\extensions\{FCAB6FDD-5585-425b-95C1-5ED856F3FD08}
[2010/05/15 14:32:41 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/05/08 19:14:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\zoomext@starfield
[2008/06/18 02:43:04 | 000,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2009/11/20 13:34:44 | 000,218,624 | ---- | M] (Starfield Technology, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npwbe.dll

O1 HOSTS File: ([2010/05/22 19:35:03 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: () - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (SSVHelper Class) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4 - HKLM..\Run: [AMTDeviceService] C:\Program Files\AMT Media Manager\AMTDeviceService.exe ()
O4 - HKLM..\Run: [SMSERIAL] C:\WINDOWS\sm56hlpr.exe (Motorola Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [cdloader] C:\Documents and Settings\User1\Application Data\mjusbsp\cdloader2.exe (magicJack L.P.)
O4 - HKCU..\Run: [DW6] C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe File not found
O4 - HKCU..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKCU..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CallWave.lnk = C:\Program Files\CallWave\IAM.exe (CallWave, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe (VIA Technologies)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run: rf4qy = C:\DOCUME~1\User1\LOCALS~1\Temp\b8n8nse.exe File not found
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll (Google Inc.)
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.)
O9 - Extra Button: Show BookTemplate Toolbar! - {4444FF7E-2019-4df0-B7FD-B7F20FE02417} - Reg Error: Key error. File not found
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O15 - HKCU\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} http://aol.worldwinner.com/games/v47/shared/FunGamesLoader.cab (FunGamesLoader Object)
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1181362346140 (WUWebControl Class)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab (HpProductDetection Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181598201406 (MUWebControl Class)
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://javadl-esd.sun.com/update/1.6.0/jinstall-6u1-windows-i586-jc.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} http://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab (HPSDDX Class)
O16 - DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} http://www.worldwinner.com/games/v45/royal/royal.cab (Royal Control)
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Java Plug-in 1.6.0_01)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: Web-Based Email Tools http://email.secureserver.net/Download.CAB (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 68.87.68.166 68.87.74.166
O18 - Protocol\Handler\ic32pp {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll ()
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - Ati2evxx.dll - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O24 - Desktop WallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O24 - Desktop BackupWallPaper: C:\WINDOWS\Web\Wallpaper\Bliss.bmp
O28 - HKLM ShellExecuteHooks: {091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} - C:\Program Files\Windows Defender\MpShHook.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/06/08 23:03:50 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\AutoRun\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\install\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualEnglish\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualFrench\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{3bacd542-6658-11de-b549-0011d8894b72}\Shell\usermanualSpanish\command - "" = F:\rcaeasyrip_setup.exe -- File not found
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell - "" = AutoRun
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9e6b7f2c-90ed-11de-b59e-0011d8894b72}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (smrgdf C:\Documents and Settings\User1\Application Data\iolo\) - File not found
O34 - HKLM BootExecute: (lsdelete) - C:\WINDOWS\System32\lsdelete.exe ()
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/26 23:48:59 | 000,000,000 | ---D | C] -- C:\Program Files\Lavasoft
[2010/05/26 23:48:50 | 000,000,000 | ---D | C] -- C:\WINDOWS\0E6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
[2010/05/26 23:48:40 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/26 23:40:49 | 000,000,000 | ---D | C] -- C:\Program Files\AsesoftNet iToolbar
[2010/05/26 23:40:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/05/26 23:39:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/26 23:24:16 | 000,000,000 | ---D | C] -- C:\Combo-Fix(3)
[2010/05/26 22:39:50 | 000,000,000 | ---D | C] -- C:\RECYCLER(3)
[2010/05/22 21:08:49 | 000,000,000 | -HSD | C] -- C:\RECYCLER(2)
[2010/05/22 21:08:09 | 000,000,000 | --SD | C] -- C:\Combo-Fix(2)
[2010/05/22 19:42:32 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/05/21 21:52:22 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/21 21:52:02 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/05/20 21:54:43 | 000,000,000 | ---D | C] -- C:\Inetpub
[2010/05/15 10:25:49 | 000,000,000 | ---D | C] -- C:\Program Files\a-squared Free
[2010/05/13 07:54:19 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\MpEngineStore
[2010/05/12 22:26:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Local Settings\Application Data\lrcldabqi
[2010/05/12 22:26:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\Application Data\ATManager
[2010/05/11 11:56:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User1\My Documents\DCFS-Apps_Rules
[2010/05/08 19:14:01 | 000,000,000 | ---D | C] -- C:\Program Files\Starfield
[2005/08/31 21:33:54 | 000,092,672 | ---- | C] ( ) -- C:\WINDOWS\System32\DVDRead.dll
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\Documents and Settings\User1\My Documents\*.tmp files -> C:\Documents and Settings\User1\My Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/31 21:30:45 | 000,000,330 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2010/05/31 21:30:36 | 000,000,235 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\Shortcut to _OTL.lnk
[2010/05/31 21:28:15 | 000,000,260 | ---- | M] () -- C:\WINDOWS\tasks\WGASetup.job
[2010/05/31 21:28:12 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
[2010/05/31 21:27:40 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/31 21:27:39 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/31 21:27:37 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/31 21:27:35 | 535,613,440 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/27 00:07:24 | 008,749,056 | ---- | M] () -- C:\Documents and Settings\User1\ntuser.dat
[2010/05/27 00:07:24 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\User1\ntuser.ini
[2010/05/27 00:07:18 | 004,314,720 | -H-- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\IconCache.db
[2010/05/22 19:35:42 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/22 19:35:03 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/05/20 21:55:21 | 000,005,878 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/05/15 10:31:49 | 000,000,648 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/05/13 19:53:50 | 000,096,477 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\~$imalistic_Thinking_Manuscript_5.10.10.docx
[2010/05/13 17:43:11 | 000,000,976 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\ATManager.lnk
[2010/05/13 14:20:44 | 000,001,004 | ---- | M] () -- C:\Documents and Settings\User1\Desktop\magicJack.lnk
[2010/05/13 07:57:53 | 000,000,340 | ---- | M] () -- C:\WINDOWS\System32\MRT.INI
[2010/05/12 22:27:53 | 000,210,816 | ---- | M] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/05/12 20:09:36 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
[2010/05/12 08:47:53 | 000,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2010/05/12 08:47:53 | 000,001,409 | ---- | M] () -- C:\WINDOWS\QTFont.for
[2010/05/11 11:49:02 | 000,055,352 | ---- | M] () -- C:\Documents and Settings\User1\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/09 19:25:33 | 000,044,032 | ---- | M] () -- C:\Documents and Settings\User1\My Documents\Zow_Group_990_Assistance.2009_J.Bowling.doc
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\MpSigStub.exe
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[5 C:\Documents and Settings\User1\My Documents\*.tmp files -> C:\Documents and Settings\User1\My Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/31 21:30:36 | 000,000,235 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\Shortcut to _OTL.lnk
[2010/05/26 23:51:57 | 535,613,440 | -HS- | C] () -- C:\hiberfil.sys
[2010/05/21 21:40:54 | 008,749,056 | ---- | C] () -- C:\Documents and Settings\User1\ntuser.dat
[2010/05/15 10:26:07 | 000,000,648 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\a-squared Free.lnk
[2010/05/13 19:53:50 | 000,096,477 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\~$imalistic_Thinking_Manuscript_5.10.10.docx
[2010/05/13 16:04:11 | 000,005,074 | ---- | C] () -- C:\Documents and Settings\User1\avgrep.txt
[2010/05/12 22:27:53 | 000,210,816 | ---- | C] () -- C:\WINDOWS\System32\dllcache\ndis.sys
[2010/05/12 22:27:22 | 000,000,976 | ---- | C] () -- C:\Documents and Settings\User1\Desktop\ATManager.lnk
[2010/05/12 22:18:40 | 000,014,047 | ---- | C] () -- C:\Documents and Settings\User1\hs_err_pid2804.log
[2010/05/12 08:47:53 | 000,054,156 | -H-- | C] () -- C:\WINDOWS\QTFont.qfn
[2010/05/12 08:47:53 | 000,001,409 | ---- | C] () -- C:\WINDOWS\QTFont.for
[2010/05/09 19:25:33 | 000,044,032 | ---- | C] () -- C:\Documents and Settings\User1\My Documents\Zow_Group_990_Assistance.2009_J.Bowling.doc
[2010/04/13 09:18:54 | 000,051,712 | ---- | C] () -- C:\WINDOWS\wc98pp.dll
[2009/12/27 16:39:33 | 000,001,264 | ---- | C] () -- C:\WINDOWS\disney.ini
[2009/12/04 00:54:02 | 000,000,002 | ---- | C] () -- C:\WINDOWS\PhotoSuite.ini
[2009/12/04 00:53:53 | 000,458,752 | ---- | C] () -- C:\WINDOWS\System32\Fpl.dll
[2009/12/04 00:53:51 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Jpeglib.dll
[2009/12/04 00:53:50 | 000,332,800 | ---- | C] () -- C:\WINDOWS\System32\Fpxlib.dll
[2009/12/04 00:53:49 | 000,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2009/10/07 21:43:45 | 000,000,074 | ---- | C] () -- C:\WINDOWS\st_affiliate.ini
[2009/10/06 19:20:10 | 000,056,832 | RHS- | C] () -- C:\WINDOWS\System32\mfszwmz.dll
[2009/04/15 18:35:24 | 000,018,790 | ---- | C] () -- C:\WINDOWS\System32\ddmon.dll
[2008/05/27 18:04:07 | 000,000,100 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/05/22 17:00:13 | 000,000,037 | ---- | C] () -- C:\WINDOWS\SWFConverter.INI
[2008/05/22 17:00:09 | 000,761,856 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/05/22 17:00:09 | 000,135,168 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/05/12 09:33:55 | 000,000,390 | ---- | C] () -- C:\WINDOWS\hpbafd.ini
[2008/05/09 22:18:19 | 000,000,000 | ---- | C] () -- C:\WINDOWS\HPMProp.INI
[2008/03/12 18:54:31 | 000,000,340 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2007/06/11 17:41:23 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/06/09 01:42:41 | 000,155,648 | ---- | C] () -- C:\WINDOWS\System32\ssleay32.dll
[2007/06/09 01:42:40 | 000,696,320 | ---- | C] () -- C:\WINDOWS\System32\libeay32.dll
[2007/06/09 00:09:05 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2004/11/11 02:16:10 | 000,045,056 | ---- | C] () -- C:\WINDOWS\sm56chs.dll
[2004/11/10 05:42:22 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56eng.dll
[2004/11/10 05:42:22 | 000,049,152 | ---- | C] () -- C:\WINDOWS\sm56jpn.dll
[2004/11/10 05:42:20 | 000,045,056 | ---- | C] () -- C:\WINDOWS\sm56cht.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56spn.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56itl.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56ger.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56fra.dll
[2004/11/02 11:12:20 | 000,065,536 | ---- | C] () -- C:\WINDOWS\sm56brz.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 134 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:E6F9610D
< End of report >

Hello.

Please run OTL.exe.

• Copy the commands with file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  :OTL
  IE - HKCU\..\URLSearchHook: {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - Reg Error: Key error. File not found
  IE - HKCU\..\URLSearchHook: {E38FA08E-F56A-4169-ABF5-5C71E3C153A1} - Reg Error: Key error. File not found
  O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  
  
  
  
• Return to OTL, right click in the "Custom Scans/Fixes" window (under the light green bar) and choose Paste.
  
  
• Click the red Run Fix button.
  
• A fix log in Notepad will appear. Copy the contents of the fix log to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  
• Close OTL.exe
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Here it is:

========== OTL ==========
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E38FA08E-F56A-4169-ABF5-5C71E3C153A1}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{CCC7A320-B3CA-4199-B1A6-9F516DD69829} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CCC7A320-B3CA-4199-B1A6-9F516DD69829}\ not found.

OTL by OldTimer - Version 3.2.4.1 log created on 06012010_231428

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Belahzur,

Please see Post 10 & 11 and let me know if you want me to repeat it. Remember, I can't update the MBAM due to lack of internet connection.

Thanks.

Damn proxy is annoying as hell aint it?

Remove the Proxy setting in Internet Explorer and/or in FireFox.

In Internet Explorer

1. Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" or reconfigure the Proxy server again in case you have set it previously.
   

In Firefox

1. Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection > Choose "No Proxy"
   
2. Click the apply button and restart that computer in normal mode.
   

Do you have a net connection now?

Unfortunately--No. Those "low-life criminal virus pirates" really did a job on my PC. I am confident that you will beat them!

I await your your next direction.

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

B.

Please see Post 16-22, I already ran the combofix and ran into a roadblock. I realize our dialogue has been going on for over three weeks and I appreciate your patience.

Thanks.

I know, but try again please.

B.

Here's the log:
ComboFix 10-06-08.02 - User1 06/09/2010 0:33.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.198 [GMT -4:00]
Running from: H:Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-05-09 to 2010-06-09 )))))))))))))))))))))))))))))))
.

2010-05-27 03:49 . 2010-05-27 03:49 -------- d-----w- c:windowssystem32wbemRepository
2010-05-27 03:48 . 2010-05-27 03:48 -------- d-----w- c:program filesLavasoft
2010-05-27 03:48 . 2010-05-27 03:48 -------- d-----w- c:windowsE6AB9FC76C2431B9C066C1CFFFEA8EB.TMP
2010-05-27 03:48 . 2010-05-27 03:48 -------- d-----w- c:program filesCommon FilesWise Installation Wizard
2010-05-27 03:39 . 2010-05-27 03:39 -------- d-----w- c:program filesMalwarebytes' Anti-Malware
2010-05-27 03:24 . 2010-05-27 03:39 -------- d-----w- C:Combo-Fix(3)
2010-05-27 02:39 . 2010-05-27 03:40 -------- d-----w- C:RECYCLER(3)
2010-05-23 01:08 . 2010-05-27 03:40 -------- d-----w- C:RECYCLER(2)
2010-05-23 01:08 . 2010-05-27 03:40 -------- d-----w- C:Combo-Fix(2)
2010-05-21 01:54 . 2010-05-21 01:55 -------- d-----w- C:Inetpub
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:documents and settingsUser2Local SettingsApplication DataYahoo
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:documents and settingsUser2Local SettingsApplication DataGoogle
2010-05-20 23:53 . 2010-05-20 23:53 -------- d-----w- c:documents and settingsUser2Application DataYahoo!
2010-05-18 01:07 . 2010-05-18 01:07 -------- d-----w- c:documents and settingsUser2Local SettingsApplication DataPCHealth
2010-05-15 14:51 . 2010-05-15 14:51 -------- d-----w- c:documents and settingsUser2Application DataMalwarebytes
2010-05-15 14:25 . 2010-05-27 03:47 -------- d-----w- c:program filesa-squared Free
2010-05-13 18:19 . 2010-02-26 23:51 6870864 ---ha-w- c:documents and settingsUser1Application Datamjusbspin00000setup.exe
2010-05-13 18:19 . 2010-02-26 23:45 743872 ---ha-w- c:documents and settingsUser1Application Datamjusbspar00000install.exe
2010-05-13 11:54 . 2010-05-13 12:15 -------- d-----w- c:windowssystem32MpEngineStore
2010-05-13 02:27 . 2010-05-13 02:27 210816 -c--a-w- c:windowssystem32dllcachendis.sys
2010-05-13 02:26 . 2010-05-21 01:27 -------- d-----w- c:documents and settingsUser1Local SettingsApplication Datalrcldabqi

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 03:47 . 2007-06-09 05:39 -------- d-----w- c:program filesSpybot - Search & Destroy
2010-05-27 03:39 . 2007-06-09 05:39 -------- d-----w- c:documents and settingsAll UsersApplication DataSpybot - Search & Destroy
2010-05-22 23:35 . 2009-02-05 16:41 -------- d-----w- c:program filesCallWave
2010-05-22 01:39 . 2008-08-05 23:49 -------- d-----w- c:documents and settingsAll UsersApplication Dataavg8
2010-05-13 18:20 . 2009-06-26 23:08 -------- d-----w- c:documents and settingsUser1Application Datamjusbsp
2010-05-13 11:51 . 2010-03-22 16:28 -------- d-----w- c:documents and settingsAll UsersApplication DataMicrosoft Help
2010-05-11 15:49 . 2007-06-09 05:40 55352 ----a-w- c:documents and settingsUser1Local SettingsApplication DataGDIPFONTCACHEV1.DAT
2010-05-09 23:00 . 2009-07-01 23:21 -------- d-----w- c:documents and settingsUser1Application DataLimeWire
2010-05-08 23:14 . 2010-05-08 23:14 -------- d-----w- c:program filesStarfield
2010-05-06 14:36 . 2009-10-03 15:57 221568 ------w- c:windowssystem32MpSigStub.exe
2010-05-04 12:20 . 2009-12-04 04:53 -------- d-----w- c:documents and settingsUser1Application DataMGI
2010-04-29 19:39 . 2009-10-15 01:58 38224 ----a-w- c:windowssystem32driversmbamswissarmy.sys
2010-04-29 19:39 . 2009-10-15 01:58 20952 ----a-w- c:windowssystem32driversmbam.sys
2010-04-14 03:53 . 2010-04-14 03:53 -------- d-----w- c:program filesTrueSwitch
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimwmp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimswf.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimrp.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginThinShimsrpnpshimqt.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginFirefoxExtComponentsnprpffbrowserrecordext.dll
2010-03-15 13:05 . 2010-03-15 13:05 300616 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginCommonrpmainbrowserrecordplugin.dll
2010-03-15 13:05 . 2010-03-15 13:05 118784 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginChromeHookrpchromebrowserrecordhelper.dll
2010-03-15 13:05 . 2010-03-15 13:05 329312 ----a-w- c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginIErpbrowserrecordplugin.dll
2010-03-15 13:02 . 2007-06-09 05:38 499712 ----a-w- c:windowssystem32msvcp71.dll
2010-03-15 13:02 . 2007-06-09 05:38 348160 ----a-w- c:windowssystem32msvcr71.dll
2010-03-11 12:38 . 2004-08-04 01:07 832512 ----a-w- c:windowssystem32wininet.dll
2010-03-11 12:38 . 2004-08-04 01:07 78336 ----a-w- c:windowssystem32ieencode.dll
2010-03-11 12:38 . 2004-08-04 01:07 17408 ------w- c:windowssystem32corpol.dll
2009-10-06 23:20 . 2009-10-06 23:20 56832 --sha-r- c:windowssystem32mfszwmz.dll
2008-04-02 12:59 . 2008-04-01 15:48 2159392 --sha-w- c:windowssystem32driversfidbox.dat
.

------- Sigcheck -------

[-] 2010-05-13 02:27 . 09925C49086F2785C061418F7FCA406F . 210816 . . [------] . . c:windowssystem32dllcachendis.sys
[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . c:windowsServicePackFilesi386ndis.sys
[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . c:windows$NtServicePackUninstall$ndis.sys

c:windowsSystem32driversndis.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"cdloader"="c:documents and settingsUser1Application Datamjusbspcdloader2.exe" [2010-02-26 50520]
"Weather"="c:program filesAWSWeatherBugWeather.exe" [BU]
"DW6"="c:program filesThe Weather Channel FWDesktopDesktopWeather.exe" [BU]
"swg"="c:program filesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe" [2009-12-20 39408]
"Messenger (Yahoo!)"="c:progra~1Yahoo!MessengerYahooMessenger.exe" [2009-11-10 5244216]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"SMSERIAL"="sm56hlpr.exe" [2004-12-29 544768]
"AMTDeviceService"="c:program filesAMT Media ManagerAMTDeviceService.exe" [2009-01-21 184320]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 9.0ReaderReader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:program filesCommon FilesAdobeARM1.0AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:program filesCommon FilesRealUpdate_OBrealsched.exe" [2010-03-15 202256]

[HKEY_USERS.DEFAULTSoftwareMicrosoftWindowsCurrentVersionRun]
"DWQueuedReporting"="c:progra~1COMMON~1MICROS~1DWdwtrig20.exe" [2008-11-04 435096]

c:documents and settingsAll UsersStart MenuProgramsStartup
CallWave.lnk - c:program filesCallWaveIAM.exe [2009-2-5 1940544]
VIA RAID TOOL.lnk - c:program filesVIARAIDraid_tool.exe [2007-6-9 565248]

[HKEY_LOCAL_MACHINEsystemcurrentcontrolsetcontrolsession manager]
BootExecute REG_MULTI_SZ autocheck autochk *smrgdf c:documents and settingsUser1Application Dataiolo\0lsdelete

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalaawservice]
@="Service"

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalWinDefend]
@="Service"

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigstartupregiTunesHelper]
2007-06-01 20:51 257088 ----a-w- c:program filesiTunesiTunesHelper.exe

[HKEY_LOCAL_MACHINEsoftwaremicrosoftshared toolsmsconfigservices]
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"c:\Program Files\iTunes\iTunes.exe"=
"%windir%\Network Diagnostic\xpnetdiag.exe"=
"%windir%\system32\sessmgr.exe"=
"c:\Program Files\QuickTime\QuickTimePlayer.exe"=
"c:\Program Files\Skype\Phone\Skype.exe"=
"c:\Program Files\LimeWire\LimeWire.exe"=
"c:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"=
"c:\WINDOWS\system32\dpvsetup.exe"=
"c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"=
"c:\Program Files\Mozilla Firefox\firefox.exe"=
"c:\Program Files\CallWave\IAM.exe"=
"c:\Documents and Settings\User1\Application Data\mjusbsp\magicJack.exe"=

R0 viasraid;viasraid;c:windowssystem32driversviasraid.sys [6/9/2007 3:23 AM 77312]
R2 a2free;a-squared Free Service;c:program filesa-squared Freea2service.exe [5/15/2010 10:25 AM 1872320]
R2 WinDefend;Windows Defender;c:program filesWindows DefenderMsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 wwEngineSvc;Window Washer Engine;c:program filesWebrootWasherWasherSvc.exe [1/30/2008 9:34 AM 388936]
S3 isaxbox;isaxbox;??c:windowssystem32isaxbox.sys --> c:windowssystem32isaxbox.sys [?]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftwindows ntcurrentversionsvchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-06-09 c:windowsTasksMP Scheduled Scan.job
- c:program filesWindows DefenderMpCmdRun.exe [2006-11-03 23:20]

2010-06-09 c:windowsTasksRealUpgradeLogonTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:program filesRealRealUpgraderealupgrade.exe [2010-02-25 02:09]

2010-05-13 c:windowsTasksRealUpgradeScheduledTaskS-1-5-21-117609710-879983540-725345543-1003.job
- c:program filesRealRealUpgraderealupgrade.exe [2010-02-25 02:09]

2010-06-09 c:windowsTasksWGASetup.job
- c:windowssystem32KB905474wgasetup.exe [2009-04-10 03:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2Office12EXCEL.EXE/3000
IE: Google Sidewiki... - c:program filesGoogleGoogle ToolbarComponentGoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
IE: {{4444FF7E-2019-4df0-B7FD-B7F20FE02417} - {ccdc304a-4095-46a4-8b66-2b5cb3dfca3c} -
Trusted Zone: turbotax.com
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} -
DPF: Web-Based Email Tools - hxxp://email.secureserver.net/Download.CAB
FF - ProfilePath - c:documents and settingsUser1Application DataMozillaFirefoxProfilesaqsjgtw3.default
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - component: c:documents and settingsAll UsersApplication DataRealRealPlayerBrowserRecordPluginFirefoxExtcomponentsnprpffbrowserrecordext.dll
FF - plugin: c:program filesMozilla FirefoxpluginsnpCouponPrinter.dll
FF - plugin: c:program filesMozilla Firefoxpluginsnpwbe.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - truec:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-09 00:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(276)
c:windowssystem32WININET.dll
c:windowssystem32Ati2evxx.dll

- - - - - - - > 'lsass.exe'(344)
c:windowssystem32WININET.dll

- - - - - - - > 'explorer.exe'(3204)
c:windowssystem32WININET.dll
c:program filesCallWaveCWIdle.dll
c:windowssystem32ieframe.dll
c:windowssystem32WPDShServiceObj.dll
c:windowssystem32PortableDeviceTypes.dll
c:windowssystem32PortableDeviceApi.dll
.
Completion time: 2010-06-09 00:49:16
ComboFix-quarantined-files.txt 2010-06-09 04:49
ComboFix2.txt 2010-06-09 03:06
ComboFix3.txt 2010-05-22 23:42

Pre-Run: 55,854,080,000 bytes free
Post-Run: 55,817,322,496 bytes free

- - End Of File - - E33EB7DE76941C05FC65E80D8AF173F9

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
Folder::
c:\documents and settings\User1\Local Settings\Application Dat\alrcldabqi

Driver::
isaxbox

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =

FCopy::
c:\windows\system32\dllcache\ndis.sys | c:\windows\System32\drivers\ndis.sys

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.
   

B.

After dragging CFScript into Combofix, I am getting the following message:

Were you trying to run CFScript?

The name, CFScript appears to be incorrectly spelt

I clicked ok but nothing happens. I tripled checked the spelling and its accurate.

Now what? Thanks.

Hello.
I attached the script to my post, download that, then try my instructions again.

B.

Unfortunately, I received the same error message. Do you think my PC is demon possessed?

I have try to laugh to keep from pulling my hair out...

Hello.
Sorry for the delay.

Okay, do you have your XP disc? just in case we need it.

Yes.

Belahzur,

I wanted to take this opportunity to thank you so much for your assistance and expertise! I have not been able to access the internet due the virus attack for over a month. Unfortunately, I guest it is time to throw the towel in due to the period time that we have been at this.

Please know that I will be making a donation to this great humanitarian website.