NEED TO READ LOG FILES of combo fix

ComboFix 12-01-23.02 - Owner 01/24/2012 17:26:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.894.410 [GMT 8:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\CFLog
c:\documents and settings\All Users.WINDOWS\Application Data\TEMP
c:\documents and settings\Owner\Application Data\Toolbar4
c:\documents and settings\Owner\Local Settings\Application Data\Minibar
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\background.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\cached_http_request.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\extension_info.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon128.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon19.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon32.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\icons\icon48.png
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_kango.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_messaging.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\includes\content_userscript.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango-ui\button.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango-ui\ui.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\browser.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\console.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\event_listener.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\initialize.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\io.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\jsonstorage.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\kango.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\lang.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\messaging.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\userscript_engine.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\kango\xhr.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\main.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\manifest.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\actions.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\cachedxhr.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\config.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\macros.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\minibar\minibar.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\popup.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\popup.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\tab.html
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome\tab.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\chrome_installer.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\common.js
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\install.json
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\minibar.crx
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\sqlite3.exe
c:\documents and settings\Owner\Local Settings\Application Data\Minibar\Uninstall.exe
c:\documents and settings\Owner\Recent\Thumbs.db
c:\documents and settings\Owner\WINDOWS
c:\documents and settings\PC-4\WINDOWS
c:\windows\start.exe
c:\windows\system32.exe
c:\windows\system32\28463
c:\windows\system32\ijl11.dll
c:\windows\system32\Temp
c:\windows\system32\UNWISE.EXE
c:\windows\XSxS
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2011-12-24 to 2012-01-24 )))))))))))))))))))))))))))))))
.
.
2012-01-21 09:14 . 2012-01-21 09:14 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\PopCapv1005
2012-01-16 04:51 . 2012-01-16 04:52 -------- d-----w- c:\program files\mass effect
2012-01-16 04:16 . 2012-01-16 04:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\IsolatedStorage
2012-01-14 20:56 . 2012-01-14 20:56 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\NCH Software
2012-01-14 20:55 . 2012-01-14 20:55 -------- d-----w- c:\program files\NCH Software
2012-01-14 20:53 . 2012-01-14 20:53 -------- d-----w- c:\documents and settings\Owner\Application Data\NCH Software
2012-01-06 06:29 . 2012-01-06 06:29 -------- d--h--w- c:\documents and settings\All Users.WINDOWS\Application Data\CanonIJEPPEX
2012-01-02 09:56 . 2001-08-17 14:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2012-01-02 09:56 . 2004-08-03 16:56 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-12-31 02:29 . 2011-12-31 02:29 -------- d-----w- C:\IGG
2011-12-31 02:29 . 2011-12-31 02:29 -------- d-----w- c:\documents and settings\Owner\Application Data\IGG
2011-12-30 13:16 . 2011-12-30 13:16 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Unity
2011-12-27 12:32 . 2011-12-28 13:22 417440 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2011-12-27 11:58 . 2012-01-10 21:05 -------- d-----w- c:\documents and settings\Owner\Application Data\DMCache
2011-12-27 10:21 . 2011-12-27 10:21 -------- d-----w- C:\eula
2011-12-27 02:14 . 2011-12-27 02:28 -------- d-----w- C:\Downloads
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-28 13:22 . 2011-08-17 21:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-01 14:03 . 2011-12-01 14:03 685816 ----a-w- c:\windows\system32\drivers\sptd.sys
2011-11-22 09:14 . 2011-11-16 04:20 225280 ----a-w- c:\windows\system32\npeuiocell.dll
2011-11-16 04:20 . 2011-11-16 04:20 208896 ----a-w- c:\windows\system32\npeauth.dll
2011-11-16 04:20 . 2011-11-16 04:20 151552 ----a-w- c:\windows\system32\npeudelself.exe
2011-11-11 15:44 . 2011-08-18 11:15 40832 ----a-w- c:\windows\system32\drivers\Yonline.ahc
2011-10-28 02:43 . 2011-11-09 02:55 150 ----a-w- c:\windows\Crack.reg
2012-01-22 01:34 . 2011-12-27 12:32 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2006-02-28 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2006-02-28 . C1783498EDB152656303B5D5BCABD86C . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\tcpip.sys
.
[-] 2011-08-17 . 6E8CA4FCB30282F216F5DB9DD58A5F81 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-05-09 09:49 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTo2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\prxtbuTo2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"nwiz"="nwiz.exe" [2006-10-31 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-31 86016]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2011-08-18 281768]
"RTHDCPL"="RTHDCPL.EXE" [2009-08-24 18702336]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-02-28 10:07 1828136 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
2008-02-18 09:29 2221352 ----a-w- c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-04-28 09:14 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\e-Games\\PointblankPH\\PointBlank.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"d:\\Program Files\\GameClub\\Philippines\\SpecialForce\\specialforce.exe"=
"d:\\Program Files\\Garena Classic\\Garena.exe"=
"c:\\Program Files\\FlashGet Network\\FlashGet 3\\FlashGet3.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DFIGames\\Dragonfly\\Special Force PH\\SpecialForce.exe"=
.
R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/1/2011 10:03 PM 685816]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [8/18/2011 4:51 AM 13696]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/18/2011 5:08 AM 136360]
R2 Yonline;Yonline;c:\windows\system32\drivers\Yonline.ahc [8/18/2011 7:15 PM 40832]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 1:34 PM 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [10/27/2010 6:23 PM 1483072]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [12/27/2011 8:32 PM 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/18/2011 4:54 AM 1684736]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\EagleXNt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 GGSAFERDriver;GGSAFER Driver;\??\d:\program files\Garena Classic\safedrv.sys --> d:\program files\Garena Classic\safedrv.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 XDva383;XDva383;\??\c:\windows\system32\XDva383.sys --> c:\windows\system32\XDva383.sys [?]
S3 XDva389;XDva389;\??\c:\windows\system32\XDva389.sys --> c:\windows\system32\XDva389.sys [?]
S3 XDva390;XDva390;\??\c:\windows\system32\XDva390.sys --> c:\windows\system32\XDva390.sys [?]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-12-27 13:22]
.
2012-01-17 c:\windows\Tasks\videopadShakeIcon.job
- c:\program files\NCH Software\VideoPad\videopad.exe [2012-01-14 18:36]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.tune-up.com/link/?target=installhelp&errorcode=0&action=1&tu_ighash=3-p4Og3vTN-g6Db10-dRsQ~~&tu_product=tuu2011&tu_version=10.0.2011.65&tu_lang=en-US&os_ver=5.1.2600&os_sp=2.0&os_suite=768&os_x64=0&os_syslang=en-US&os_userlang=en-US&os_id=1&os_usercountry=US
IE: Download all by FlashGet3 - c:\documents and settings\Owner\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\Owner\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 121.1.3.82 121.1.3.20
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\csrjd501.default\
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-ApnUpdater - c:\program files\Ask.com\Updater\Updater.exe
MSConfigStartUp-System32 - c:\windows\System32.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-24 17:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Yonline]
"ImagePath"="\??\c:\windows\system32\drivers\Yonline.ahc"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):58,dd,57,b8,80,dd,3b,23,f8,41,12,c5,2d,88,19,86,4c,4d,95,24,c3,
86,61,bd,1b,bf,44,58,b1,fa,2c,a4,12,16,a9,d9,68,07,88,7c,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{846287ce-1022-4595-8337-67e6beb862b9}]
@Denied: (Full) (Everyone)
"Model"=dword:00000009
"Therad"=dword:00000008
.
Completion time: 2012-01-24 17:31:46
ComboFix-quarantined-files.txt 2012-01-24 09:31
.
Pre-Run: 42,708,258,816 bytes free
Post-Run: 43,955,462,144 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 52844B0EF7A35B02E6C20B73C1DE5C88

Hello.
Do you have your XP disc?

yes a have my xp disc but it is only a crack disk i have. not original disc.. pls help me

Shouldn't be too bad, aslong as it's the disc for this OS, we can still use it.

Put the disc in the machine, is there an i386 folder on it?

yes it has i386 what should i do?

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

cmd

That will open the command prompt, in the command prompt, type in the following command.

expand X:\i386\winlogon.ex_ C:\winlogon.exe

If you've entered that correctly, it should say 1 file(s) expanded successfully & there should now be a winlogon.exe in your C:\ drive.

i dont have this message 1 file(s) expanded successfully

but this message appeared in my cmd

e:\i386\winlogon.ex_ : 261115 bytes expanded to 502272 bytes 92% increase.

and my C:\drive now has winlogon.exe

what step should i do next..

Hello.

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   Code:

   
FCopy::
c:\windows\system32\dllcache\tcpip.sys | c:\windows\system32\drivers\tcpip.sys
c:\winlogon.exe | c:\windows\system32\winlogon.exe

   
   
4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.