Many Problems with my computer? (Including Protection System)

I can't install HijackThis or Malware-Bytes or any other Anti-Malware programs! I know Protection System/Pc Security is still stuck partiallyon my PC.

I check my Task Manager often and sometimes my computer slows down and I find that iexplorer.exe is running but I haven't touched Internet Explorer for months!

Whenever I try to click a random desktop icon, a window pops up telling me to find what program to open it with!

It also says there is a problem with Rundll.exe (I think? Something along those lines) and I can't open system restore, device manager, install/uninstall programs, etc.

In Safe Mode, my interet won't work and usually says something along the lines of "Can't find the server at toolbar.ask.com" I don't even go to ask.com.

I have Trend Micro Internet Security installed, and while it's helped, I can't open it anymore because of the Program searcher window.

And just recently, whenever I click a link on Google Search, it opens a new tab and redirects me to a spam site.

Please help!

I have Windows XP Service Pack 2, but I don't have the original bar code thing you need to verify it, even though I have the disk to reinstall it. My computer is also along the lines of 6 years old.


If anyone needs to know anything else, please ask!

Bump!

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

That link is not working for me.

See if this link works:
http://www.sendspace.com/pro/dl/932rpd

It downloaded in the download window, but my computer will not let me open it, and when I right click it, the open and open containing folder options are a dark gray and unselectable.

Hello in task manager do you see the following process: PC_Security2009.exe

No, but when I right click on random things, an option on the right click menu asks," Scan with Protection system" Also, I deleted as much of Protection system as I could trying to get rid of it, but a file called "coreext.dll" won't be deleted from the Protection System Folder on my Program files.

Last edited by blackwolf748 on 29th July 2009, 8:50 pm; edited 1 time in total (Reason for editing : Typo.)

Hello, can you right down all the names the you have in your task manager process list and post them here.

Sure, there's a lot... I never use Internet explorer, but when I delete the process, it comes back in a few minutes.

WISPTIS.exe
iexplorer.exe
wuauclt.exe
taskmgr.exe
firefox.exe
iPodservice.exe
distnoted.exe
WINWORD.exe
ctfmon.exe
iTunes.exe
explorer.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
SfCtlCom.exe
svchost.exe
AppleMobileDevice.exe
svchost.exe
svchost.exe
ati2evxx.exe
lsass.exe
services.exe
winlogon.exe
csrss.exe
smss.exe
MDM.exe
TmProxy.exe
TmPfw.exe
CTSVCCDA.exe
mDNSResponder.exe
SyncServicesBasics.exe
AppleMobileDeviceService.exe
TMBMSRV.exe
svchost.exe
spoolsv.exe
System
System Idle Process

Please download SysProt AntiRootkit v1.0.1.0 by Swatkat

• Next run the file; *Note: If running vista right click and select run as administrator
  
• Once opened, navigate to the log tab and select all the areas including the hidden objects only box and click on the create log button
  
• A scan will start and then a window will pop up with two options, select scan all drives
  
• Once finished it will give you a location where it was saved, navigate to that place usually the desktop, and open the log, post all the contents of the log back here.
  

It's still not letting me open any downloads...

We are going to have to do some things in safe mode, also you are going to have to use a Cd or flash drive to transfer files to infected computer:

Please do the following in Safe Mode with Networking: as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press your Enter key.

Note: With some computers if you press and hold a key as the computer is booting you will get a stuck key message. If this occurs, instead of pressing and holding the "F8 key", tap the "F8 key" continuously until you get the startup menu.) Once in the start up menu, select "Safe Mode with Networking", then do the following instructions:

• Download combofix from here
  Link 1
  Link 2
  

1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to Combo-Fix as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouse click combofix's window whilst it's running. That may cause it to stall.
  

I went in safe mode, followed all of your instructions, but it didn't work.

When I tried to download it and renamed it, my firefox download window did the following;
It stopped the download immediately, and had a retry button to click.
I clicked the retry download button, and the download finished as soon as I clicked it.
If I right-click on the download, the options Open containing Folder, Open, and go to download page had darkened text and I could not select them. Other files, like iTunes music files, were fine and I could open them just fine.

See if you can do the following:

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

It still won't open, not even when I renamed it to random things...

This is a brand new trojan. It is similar to past viruses but this found a way to hijack Spybot, Malwarebytes and adaware.
Highjackthis will neither download nor run.

Conventional methods are useless even in safemode. I was able to identify 1 script and 4 infected cache files by running uniblue spyeraser in safe mode. But, alas when I restarted we back to where we started.

I am going to run spy eraser one more time and see if I can identify the files.

I'll post what I find if anything

There are no current fixes thta i can find yet.

lol that was stupid,
Ran it and was going to post but I havent updated in an entire year. I am updating now and will re-run it.

mhawkster - Please post your own topic if you need help.

Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, a message will pop up and a logfile will have been created on the desktop. Please post the entire contents of this logfile for me to see.

My apologies. I was just reinforcing his statements that traditional methods were inefective. I was going to post info to save you the trouble since I have isolated the virus.

I will not interfere.

Belahzur wrote:

mhawkster - Please post your own topic if you need help.

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = ""C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet" ["Yahoo! Inc."]
"EA Core" = ""C:\Program Files\Electronic Arts\EADM\Core.exe" -silent" ["Electronic Arts"]
"Aim6" = "(empty string)" [file not found]
"Cognac" = "C:\DOCUME~1\Owner\LOCALS~1\Temp\b.exe" [file not found]
"braviax" = "C:\WINDOWS\system32\braviax.exe" [file not found]
"OE" = "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" ["Trend Micro Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"exec" = "C:\WINDOWS\system32\mstjo.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"DVDLauncher" = ""C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"" ["CyberLink Corp."]
"dla" = "C:\WINDOWS\system32\dla\tfswctrl.exe" ["Sonic Solutions"]
"basicsmssmenu" = ""C:\Documents and Settings\Owner\My Documents\Basics Status\MaxMenuMgrBasics.exe"" ["Maxtor Corporation"]
"UIUCU" = ""C:\DOCUME~1\Owner\LOCALS~1\Temp\UIUCU.EXE" -CLEAN_UP -S" [file not found]
"SoundMAXPnP" = ""C:\Program Files\Analog Devices\Core\smax4pnp.exe"" ["Analog Devices, Inc."]
"AppleSyncNotifier" = ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"" ["Apple Inc."]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Inc."]
"SunJavaUpdateSched" = ""C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"" ["Sun Microsystems, Inc."]
"{A3-3C-C9-92-DW}" = ""C:\WINDOWS\system32\dwwnw64r.exe" DWrvgFF" [file not found]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Inc."]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"RealTray" = ""C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"P17Helper" = "Rundll32 P17.dll,P17Helper" [MS]
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"CTSysVol" = ""C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r" ["Creative Technology Ltd"]
"UpdReg" = "C:\WINDOWS\UpdReg.EXE" ["Creative Technology Ltd."]
"StartCCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun" ["Advanced Micro Devices, Inc."]
"18485314" = "C:\Documents and Settings\All Users\Application Data\18485314\18485314.exe" [file not found]
"braviax" = "C:\WINDOWS\system32\braviax.exe" [file not found]
"sysldtray" = "C:\windows\ld12.exe" [file not found]
"pp" = "c:\windows\pp10.exe" [file not found]
"PC Security 2009" = ""C:\Program Files\PC_Security2009\PC_Security2009.exe" /hide" [file not found]
"sysfbtray" = "c:\windows\freddy49.exe" [file not found]
"UfSeAgnt.exe" = ""C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"" ["Trend Micro Inc."]
"UserFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -u"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"
-> {HKLM...CLSID} = "History Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]
"{5CA3D70E-1895-11CF-8E15-001234567890}" = "DriveLetterAccess"
-> {HKLM...CLSID} = "DriveLetterAccess"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dla\tfswshx.dll" ["Sonic Solutions"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {HKLM...CLSID} = "RecordNow! SendToExt"
\InProcServer32\(Default) = "C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\shlext.dll" [null data]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {HKLM...CLSID} = "iTunes"
\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Inc."]
"{3FCEF010-09A4-11D4-8D3B-D12F9D3D8B02}" = "TIShelEx Shell Extension"
-> {HKLM...CLSID} = "FileTimeShlExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\TISHAR~1\TICONN~1\TIShlExt.dll" ["Texas Instruments Incorporated"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]
"{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D}" = "Messenger Sharing Folders"
-> {HKLM...CLSID} = "My Sharing Folders"
\InProcServer32\(Default) = "C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Protection System extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Protection System\CoreExt.dll" [empty string]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security\Tmdshell.dll" ["Trend Micro Inc."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security\VBProp.dll" ["Trend Micro Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<> "{38101905-D80F-4788-96F6-986A8186178A}" = "*g" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\flashd32.dll" [null data]

HKLM\SYSTEM\CurrentControlSet\Control\Lsa\
<> "Notification Packages" = ""|"scecli"|"scecli"|"scecli"|"scecli"

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\
<> ("" [file not found]) "SecurityProviders" = "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\
SimpleShlExt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Protection System\CoreExt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\
SimpleShlExt\(Default) = "{5E2121EE-0300-11D4-8D3B-444553540000}"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\Protection System\CoreExt.dll" [empty string]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]


Default executables:
--------------------

<> HKLM\SOFTWARE\Classes\.bat\(Default) = "csfile"
<> HKLM\SOFTWARE\Classes\csfile\shell\open\command\(Default) = "C:\WINDOWS\system32\mshrp.exe "%1" %*" [file not found]

<> HKLM\SOFTWARE\Classes\.com\(Default) = "csfile"
<> HKLM\SOFTWARE\Classes\csfile\shell\open\command\(Default) = "C:\WINDOWS\system32\mshrp.exe "%1" %*" [file not found]

<> HKLM\SOFTWARE\Classes\.exe\(Default) = "csfile"
<> HKLM\SOFTWARE\Classes\csfile\shell\open\command\(Default) = "C:\WINDOWS\system32\mshrp.exe "%1" %*" [file not found]

HKLM\SOFTWARE\Classes\.scr\(Default) = "scrfile"
<> HKLM\SOFTWARE\Classes\scrfile\shell\open\command\(Default) = ""%1" %*" [file not found]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"ForceClassicControlPanel" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"AllowLegacyWebView" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"AllowUnhashedWebView" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

"NoCDBurning" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"NoDispBackgroundPage" = (REG_DWORD) dword:0x00000000
{Hide Desktop tab}

"NoDispScrSavPage" = (REG_DWORD) dword:0x00000000
{unrecognized setting}

"EnableProfileQuota" = (REG_DWORD) dword:0x00000001
{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001
{Devices: Allow undock without having to log on}

HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore\

"Disable Config" = (REG_DWORD) dword:0x00000001
{unrecognized setting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\My Documents\My Pictures\untitled.bmp"


Windows Portable Device AutoPlay Handlers
-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

CTPlayAudioOnArrival\
"Provider" = "@C:\Program Files\Creative\MediaSource\CTCMS.CRL,-14345"
"InvokeProgID" = "CTAutoPL.AudioCDPlayer.1"
"InvokeVerb" = "open"
HKLM\SOFTWARE\Classes\CTAutoPL.AudioCDPlayer.1\shell\open\command\(Default) = ""C:\Program Files\Creative\MediaSource\CTCMS.exe" /T=CLASSKEY_AudioCD IN %L PlayNow" ["Creative Technology Ltd"]

iTunesBurnCDOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.BurnCD"
"InvokeVerb" = "burn"
HKLM\SOFTWARE\Classes\iTunes.BurnCD\shell\burn\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayBurn "%L"" ["Apple Inc."]

iTunesImportSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ImportSongsOnCD"
"InvokeVerb" = "import"
HKLM\SOFTWARE\Classes\iTunes.ImportSongsOnCD\shell\import\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayImportSongs "%L"" ["Apple Inc."]

iTunesPlaySongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.PlaySongsOnCD"
"InvokeVerb" = "play"
HKLM\SOFTWARE\Classes\iTunes.PlaySongsOnCD\shell\play\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /playCD "%L"" ["Apple Inc."]

iTunesShowSongsOnArrival\
"Provider" = "iTunes"
"InvokeProgID" = "iTunes.ShowSongsOnCD"
"InvokeVerb" = "showsongs"
HKLM\SOFTWARE\Classes\iTunes.ShowSongsOnCD\shell\showsongs\command\(Default) = ""C:\Program Files\iTunes\iTunes.exe" /AutoPlayShowSongs "%L"" ["Apple Inc."]

PDVDPlayDVDMovieOnArrival\
"Provider" = "PowerDVD"
"InvokeProgID" = "DVD"
"InvokeVerb" = "PlayWithPowerDVD"
HKLM\SOFTWARE\Classes\DVD\shell\PlayWithPowerDVD\Command\(Default) = ""C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" MOVIE "%L"" ["CyberLink Corp."]

SonicRnAudioCD\
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "AudioCDJob"
HKLM\SOFTWARE\Classes\Sonic.RecordNow\shell\AudioCDJob\Command\(Default) = ""C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exe" /AudioCDJob %L" [null data]

SonicRnBurnAudioCD\
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "AudioCDTarget"
HKLM\SOFTWARE\Classes\Sonic.RecordNow\shell\AudioCDTarget\Command\(Default) = ""C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exe" /AudioCDTarget %L" [null data]

SonicRnBurnDataDisc\
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "DataDiscTarget"
HKLM\SOFTWARE\Classes\Sonic.RecordNow\shell\DataDiscTarget\Command\(Default) = ""C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exe" /DataDiscTarget %L" [null data]

SonicRnCopyCD\
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "CopyDiscJob"
HKLM\SOFTWARE\Classes\Sonic.RecordNow\shell\CopyDiscJob\Command\(Default) = ""C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exe" /CopyDiscJob %L" [null data]

SonicRnCopyDisc\
"Provider" = "Sonic RecordNow! Plus"
"InvokeProgID" = "Sonic.RecordNow"
"InvokeVerb" = "CopyDiscJob"
HKLM\SOFTWARE\Classes\Sonic.RecordNow\shell\CopyDiscJob\Command\(Default) = ""C:\Program Files\Sonic\Sonic Solutions Product CD\RecordNow! Plus\RecordNow.exe" /CopyDiscJob %L" [null data]

TMAutoplayScan\
"Provider" = "Trend Micro Internet Security"
"InvokeProgID" = "TM.AutoplayScan"
"InvokeVerb" = "Play"
HKLM\SOFTWARE\Classes\TM.AutoplayScan\shell\Play\DropTarget\CLSID = "{BB7E88E2-443A-456A-9D7D-F25B9F5F7A95}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security\TmAtPlay.dll" ["Trend Micro Inc."]


Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\Owner\Start Menu\Programs\Startup
"Startup" -> shortcut to: "C:\WINDOWS\ha_server.exe" [file not found]
"Yahoo! Widgets" -> shortcut to: "C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe" ["Yahoo! Inc."]


Enabled Scheduled Tasks:
------------------------

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]
"{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}" -> launches: "C:\WINDOWS\msb.exe" [file not found]
"{783AF354-B514-42d6-970E-3E8BF0A5279C}" -> launches: "C:\DOCUME~1\Owner\LOCALS~1\Temp\b.exe" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "C:\Program Files\Bonjour\mdnsNSP.dll" ["Apple Inc."]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\
"{D0943516-5076-4020-A3B5-AEFAF26AB263}" = "Veoh Video Finder"
-> {HKLM...CLSID} = "Veoh Browser Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll" [file not found]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{A7CAC213-84D6-3AE7-2D6E-7D2456D2349E}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Search panel"
\InProcServer32\(Default) = "C:\WINDOWS\system32\umogmqtgga.dll" [file not found]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.6.0_07"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll" ["Sun Microsystems, Inc."]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E2E2DD38-D088-4134-82B7-F2BA38496583}\
"MenuText" = "@xpsp3res.dll,-20001"
"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apple Mobile Device, Apple Mobile Device, ""C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"" ["Apple Inc."]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
Basics Service, Basics Service, ""C:\Documents and Settings\Owner\My Documents\Service\SyncServicesBasics.exe"" ["Seagate Technology LLC"]
Bonjour Service, Bonjour Service, ""C:\Program Files\Bonjour\mDNSResponder.exe"" ["Apple Inc."]
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINDOWS\system32\CTsvcCDA.EXE" ["Creative Technology Ltd"]
iPod Service, iPod Service, ""C:\Program Files\iPod\bin\iPodService.exe"" ["Apple Inc."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
Trend Micro Central Control Component, SfCtlCom, ""C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe"" ["Trend Micro Inc."]
Trend Micro Personal Firewall, TmPfw, ""C:\Program Files\Trend Micro\Internet Security\TmPfw.exe"" ["Trend Micro Inc."]
Trend Micro Proxy Service, TmProxy, ""C:\Program Files\Trend Micro\Internet Security\TmProxy.exe"" ["Trend Micro Inc."]
Trend Micro Unauthorized Change Prevention Service, TMBMServer, ""C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service" ["Trend Micro Inc."]
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\system32\MsPMSPSv.exe" [MS]


Print Monitors:
---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\
Canon BJ Language Monitor MP830\Driver = "CNMLM7Q.DLL" ["CANON INC."]
Canon MP FAX Language Monitor MP830\Driver = "CNCF2Lb.DLL" ["Canon Inc."]
Dell 942 Port\Driver = "dlbulmpm.DLL" [file not found]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


---------- (launch time: 2009-08-08 13:32:45)
<>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 75 seconds, including 3 seconds for message boxes)

mhawkster - Actually, traditional methods still carry some weight. SilentRunners I asked for here shows me some info but not alot, in nowadays with the malware were contending with, you wont find many using SilentRunners. On the other hand though, SilentRunners doesn't use exe like many tools so it's able to sometimes by pass the malware and gives me a loophole to play with and we can fight back using that.

SilentRunners does show my why normal exe files aren't working if you look close enugh.

blackwolf748 - You have quite the mess here, but we should be able to at least disable the malware and delete the run values, enough to put a dent into it. Now that I know why exe files aren't working, once that is repaired, we can kill it.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
  "braviax"=-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
  "exec"=-
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
  "{A3-3C-C9-92-DW}"=-
  "18485314"=-
  "braviax"=-
  "sysldtray"=-
  "pp"=-
  "PC Security 2009"=-
  "sysfbtray"=-
  [-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{A7CAC213-84D6-3AE7-2D6E-7D2456D2349E}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.bat]
  @="batfile"
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.com]
  @="comfile"
  [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
  @="exefile"
  [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\csfile]
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Let me know if that went smoothly or you had problems.

It worked! I had no problems.

Try running Hijack This now, hopefully it should work now that reg fix has restored the default settings.

If not, I have another ace up my sleeve.

No, my computer still won't let me open any downloads.

Then how did you download SilentRunners?
Can you remove the exe file extension and change it to scr?

It only changed to .scr.exe . I don't know why SilentRunners worked, it just did....

My computer's shaped up a little and I can finally run my virus scanner. It cleared out a lot of problems, and now I'm pretty sure the most obnoxious ad-ware is gone, but it has two problems it can't fix.

1) TROJ_Generic.DIT (Infected File: flashd32.dll)
2) BKDR_TDSS.Z (Infected File: hjgruifbtowdlt.sys)

And I've not a clue what to do about this. The other programs you've linked me to still won't open or install.

Hello.
I want to check something.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

It didn't work. Actually, my virus system told me to restart to get rid of some remaining viruses or something, and when I did, I had to click through about 10-20 different windows pop-ups all saying things like,"hjgruifbtowdlt.sys is not a valid windows image" and had to keep clicking through them. they started when I was logging on, and then continued once my desktop was loaded. They've stopped, but...

Were you able to run SystemLook then, even after a reboot?

If not, delete it and re-download it.

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 20:23 on 11/08/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\scecli.dll --a--c 181248 bytes [02:14 02/12/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll --a--c 181248 bytes [00:12 14/04/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 180224 bytes [04:46 27/02/2009] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [10:00 04/08/2004] [10:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\SoftwareDistribution\Download\79123dd72d0f61d4ed8c7a816ed338d7\netlogon.dll --a--- 407040 bytes [02:13 02/12/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll --a--c 407040 bytes [00:12 14/04/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c 407040 bytes [04:46 27/02/2009] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [10:00 04/08/2004] [10:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

-=End Of File=-

There's the System Look file. After Restart, it finally let me re-download and open!

Hello.
They look ok, can you try downloading Hijack This again from here:
http://www.sendspace.com/pro/dl/932rpd

Ok, Hijack This worked. Here's what I got from the scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:39 PM, on 8/14/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Documents and Settings\Owner\My Documents\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Documents and Settings\Owner\My Documents\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\mbam-setup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\msxqatu.exe
F3 - REG:win.ini: run=C:\WINDOWS\system32\msevfa.exe
O2 - BHO: BhoApp - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll (file missing)
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Documents and Settings\Owner\My Documents\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [UIUCU] "C:\DOCUME~1\Owner\LOCALS~1\Temp\UIUCU.EXE" -CLEAN_UP -S
O4 - HKLM\..\Run: [SoundMAXPnP] "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Cognac] C:\DOCUME~1\Owner\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Startup: Startup.lnk = C:\WINDOWS\ha_server.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://download.playfirst.com/play/game/dinerdash2/DinerDash2.1.0.0.67.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216585934984
O16 - DPF: {6715D12F-213F-4C6E-ACE1-8A363F550B96} (CPlayFirstDoggieDashControl Object) - http://download.playfirst.com/play/game/doggiedash/DoggieDash.1.0.0.9.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Documents and Settings\Owner\My Documents\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: sopidkc Service (sopidkc) - Unknown owner - C:\WINDOWS\system32\sopidkc.exe (file missing)
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9132 bytes

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Combo-Fix wouldn't run. It downloaded, but everytime I tried to run it, this stupid windows error message would pop-up and ,"hjgruifbtowdlt.sys" was always somewhere in the message. Everytime I exit out of it, a new one pops-up.

It stops Combo-Fix from working, and it's very annoying because I have to go through a pop-up everytime I try to load something.

Download the GMER rootkit scan from here: GMER

1. Unzip it and start GMER.
   
2. Click the >>> tab and then click the Scan button.
   
3. Once done, click the Copy button.
   
4. This will copy the results to your clipboard.
   
5. Paste the results in your next reply.
   

Note:
If you're having problems with running GMER.exe, try it in safe mode. This tools works in safe mode.
You can also try renaming it since some malware blocks GMER.

....It's 17 pages long. Do you want me to post it in bits, or did I do something wrong in scanning it?

No, it's right.
Can you upload the log to rapidshare.com for me to see?

Sorry for taking so long to get back to you! I put it on Rapidshare and here is the link:

http://rapidshare.com/files/270740297/GMER_1.doc.html

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys
hjgruimnwubowl

Files to delete:
C:\WINDOWS\system32\drivers\UACvmlamnadtpxujcxea.sys
C:\WINDOWS\system32\drivers\hjgruifbtowdlt.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\hjgruimnwubowl
HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys
HKLM\SYSTEM\ControlSet003\Services\hjgruimnwubowl
HKLM\SYSTEM\ControlSet003\Services\UACd.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "UACd.sys" deleted successfully.
Driver "hjgruimnwubowl" deleted successfully.
File "C:\WINDOWS\system32\drivers\UACvmlamnadtpxujcxea.sys" deleted successfully.

Error: could not delete file "C:\WINDOWS\system32\drivers\hjgruifbtowdlt.sys"
Deletion of file "C:\WINDOWS\system32\drivers\hjgruifbtowdlt.sys" failed!
Status: 0xc0000156


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\hjgruimnwubowl" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\hjgruimnwubowl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\UACd.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet003\Services\hjgruimnwubowl" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet003\Services\UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Many of my computer problems are now resolved, thank you!

The only problem I'm having now is whenever I do a virus scan, I always end up with the same one and it can't get rid of it, nor can I delete it manually.

TROJ_Generic.DIT
Type: Generic
Location: Flashd32.dll (C:\WINDOWS\System32\)