Trojan has disabled desktop, start menu and all programs.

My problem started when Windows Antivirus 2009 kept popping up ads trying to get me to download and buy it. Now my computer will not run anything. I have no desktop: my desktop background pic is there, but no icons and no start menu. I try to download programs that everyone suggests to take care of this and it will download but will not run. My Macfee antivirus will not run, nothing on my computer will run. When I try to run anything a black box opens really quickly and then closes very quickly. I bought a new antivirus/antispyware software, but I can't even start the cd to install. This trojan has EVERYTHING blocked. I can use alt cntl delt and run the interent, but that is it - and even then it will not open certain websites and google search in toolbar doesn't work. PLEASE HELP! Thank you in advance for any help you can give.

Hi

Let's try this:

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

I did all of the above. Tried downloading and renaming it. Didn't work. Tried in safe mode and didn't work. Whenever I try to open it or any other software program a black box open and closes and it says something like: " Windowsystem32/desot" it does it very quickly so I think that is what it says. Any other suggestions? Thank you again for your help.

Hi

Please delete the following file using Windows Explorer:

C:\Windows\System32\desot.exe

==

Then, try the ComboFix process again.

Hi,

I deleted that file. It has given me back my desktop and start menu. I am still unable to run combofix though. even after ranaming it. I even bought new anti virus software. When I try to install it or run other software programs on my pc it pops open a window that say "open with" and gives me several options to open it with. not normal. any suggestions? Thanks in advance.

Hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
comres.dll
winlogon.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

I downloaded it and ran it like you said. A box popped up on the bottom tool bar with the yellow exclamation point triangle that said "the file or directory C:\$Mft is corruptable and unreadable. Please run the Chkdsk utility.

The systemlook notepad then opened and this is what was in it:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 14:19 on 20/09/2009 by Mark Carter (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\scecli.dll --a--- 181248 bytes [00:12 14/04/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 180224 bytes [12:00 04/08/2004] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [12:00 04/08/2004] [12:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\sp2qfe\netlogon.dll --a--- 408064 bytes [18:46 06/02/2009] [18:46 06/02/2009] 6C476D33D82F1054849790181E8F7772
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\netlogon.dll --a--- 407040 bytes [00:12 14/04/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c 407040 bytes [12:00 04/08/2004] [12:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [12:00 04/08/2004] [12:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll --a--- 56320 bytes [00:11 14/04/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\dllcache\eventlog.dll --a--c 55808 bytes [12:00 04/08/2004] [12:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [12:00 04/08/2004] [12:00 04/08/2004] (Unable to calculate MD5)

Searching for "comres.dll"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\comres.dll --a--- 792064 bytes [00:11 14/04/2008] [00:11 14/04/2008] 1280A158C722FA95A80FB7AEBE78FA7D
C:\WINDOWS\system32\comres.dll --a--- 792064 bytes [12:00 04/08/2004] [12:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310
C:\WINDOWS\system32\dllcache\comres.dll --a--c 792064 bytes [12:00 04/08/2004] [12:00 04/08/2004] 6728270CB7DBB776ED086F5AC4C82310

Searching for "winlogon.exe"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe --a--- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\WINDOWS\system32\dllcache\winlogon.exe --a--c 502272 bytes [12:00 04/08/2004] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE
C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [12:00 04/08/2004] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE

-=End Of File=-

Hi

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Sun Sep 20 14:51:30 2009

14:51:30: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACmpmbuetabr.sys
Driver disable failed!

Start Type: 1 (System)

Rootkit scan completed.

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Hi

Please download Malwarebytes Anti-Malware from here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Full Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  
• Please save the log to a location you will remember.
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy and paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

just finished installing malwarebytes: when clicked on icon to run it, warning box popped up saying that C:\Program Files\Malwarebytes' Anti-Malware\Mbam.exe is not a valid Win32 application.

Also - everytime i reboot pc, the "open with " box always appears and gives a long list of applications to open with. This box appears befroe my start menu and desktop icons. after I close it then icons and start menu appear. Also another box always opens when ever computer is started up or rebooted: it is a box that is from spydoctor software - says something like pcstray.exe. Not sure if that has anything to do with it.

THANKS AGAIN FOR ALL YOUR HELP!

Hi

Please download this file: http://noahdfear.net/downloads/exe_fix.com and save it to your desktop

Double click on exe_fix.com to run it

Type the number 1 at the prompt and allow the tool to run.

Please reboot your computer.

==

1) Please download this file: http://download.bleepingcomputer.com/sUBs/Beta/fr33.exe

2) Place fr33.exe into MBAM's folder - C:\Program Files\Malwarebytes' Anti-Malware\

3) Locate and then using your mouse, drag mbam.exe into fr33.exe. That shall free mbam.exe

4) Then do a scan & show us the resultant log

okay i did the first step, typed the number 1, let the program run and then rebooted as you said. when the pc started back up there were all kinds of things popping up. One thing that popped up was Total Security telling me i had all kinds of infections. Also when I rebooted, mozilla firefox wouldn't open. But I was able to use internet explorer.

I then tried to downlaod the fr33.exe thing and it said it was infected and couldn't run.

Windows keep popping up saying i'm infected. it is say "Total Security" I guess this is another malware/spyware bug.

I am unsure of step 2 when you said place fr33.exe into malware folder - how do i do that? I understand how to drag and drop malware into fr33.

Sorry to repeat, but as I write this, things keep popping up saying I have trojans, warnings saying pc is infected. This wasn't happening before I rebooted.

A window just popped up saying firefox.exe is infected and can't run

Sorry for the continued posts, but now window is popping up saying Windows Antivirus Pro and is wanting me to scan comoputer, and i just keep closing it out.

PC screen just went blue and had big red letters say computer is infected with syware. then rebooted itself.

Hi

Please download ComboFix by sUBs
Link 1: Forospyware.com or Link 2: BleepingComputer.com

Please save the file to your Desktop, but rename it first:




Important information about ComboFix

Before the download:

• Please copy and paste these instructions to Notepad and save to your Desktop, or print them - for easier access.
  
• It is important to rename ComboFix before the download.
  
• Please do not rename ComboFix to other names, but only the one indicated.

After the download:

• Close any open browsers.
  
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
  
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
  

Running ComboFix:

• Double click on svchost.exe & follow the prompts.
  
• It will attempt to install the Recovery Console:

• When ComboFix finishes, it will produce a report for you.
  
• Please post the "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

is it normal for pc to reboot during the combofix scan? it did it one time and then started scanning and had a huge list going and now it just rebooted again.

Yes. And the more malware your computer has on it, the longer it will take. Please post the log when finished.

ComboFix 09-09-18.02 - Mark Carter 09/20/2009 18:57.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.991.693 [GMT -4:00]
Running from: c:\documents and settings\Mark Carter\Desktop\ComboFix.exe
* Created a new restore point
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\cleanup.exe
c:\documents and settings\All Users\Application Data\13335794
c:\documents and settings\All Users\Application Data\13335794\13335794
c:\documents and settings\All Users\Application Data\13335794\13335794.exe
c:\documents and settings\All Users\Application Data\13335794\pc13335794ins
c:\documents and settings\Mark Carter\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk
c:\documents and settings\Mark Carter\Desktop\Advanced Virus Remover.lnk
c:\documents and settings\Mark Carter\Start Menu\A360
c:\documents and settings\Mark Carter\Start Menu\A360\A360.lnk
c:\documents and settings\Mark Carter\Start Menu\A360\Help.lnk
c:\documents and settings\Mark Carter\Start Menu\A360\Registration.lnk
c:\documents and settings\Mark Carter\Start Menu\Advanced Virus Remover.lnk
c:\program files\A360
c:\program files\AdvancedVirusRemover
c:\program files\AdvancedVirusRemover\PAVRM.exe
c:\program files\Common Files\System\Uninstall
c:\program files\Common Files\System\Uninstall\Uninstall A360.lnk
c:\program files\SafetyCenter
c:\program files\SafetyCenter\main.ico
c:\program files\SafetyCenter\new.exe
c:\program files\SafetyCenter\protector.exe
c:\program files\SafetyCenter\sound.wav
c:\program files\SafetyCenter\start.exe
c:\program files\SafetyCenter\uninstall.exe
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\windows\Installer\WinRMSrv.msi
c:\windows\Installer\WMEncoder.msi
c:\windows\msa.exe
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\run.log
c:\windows\svchast.exe
c:\windows\system32\41.exe
c:\windows\system32\bincd32.dat
c:\windows\system32\config\systemprofile\Start Menu\Advanced Virus Remover.lnk
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\critical_warning.html
c:\windows\system32\dddesot.dll
c:\windows\system32\drivers\UACd.sys
c:\windows\system32\drivers\UACmpmbuetabr.sys
c:\windows\system32\images
c:\windows\system32\images\i1.gif
c:\windows\system32\images\i2.gif
c:\windows\system32\images\i3.gif
c:\windows\system32\images\j1.gif
c:\windows\system32\images\j2.gif
c:\windows\system32\images\j3.gif
c:\windows\system32\images\jj1.gif
c:\windows\system32\images\jj2.gif
c:\windows\system32\images\jj3.gif
c:\windows\system32\images\l1.gif
c:\windows\system32\images\l2.gif
c:\windows\system32\images\l3.gif
c:\windows\system32\images\pix.gif
c:\windows\system32\images\t1.gif
c:\windows\system32\images\t2.gif
c:\windows\system32\images\up1.gif
c:\windows\system32\images\up2.gif
c:\windows\system32\images\w1.gif
c:\windows\system32\images\w11.gif
c:\windows\system32\images\w2.gif
c:\window s\system32\images\w3.gif
c:\windows\system32\images\w3.jpg
c:\windows\system32\images\wt1.gif
c:\windows\system32\images\wt2.gif
c:\windows\system32\images\wt3.gif
c:\windows\system32\msxml71.dll
c:\windows\system32\net.net
c:\windows\system32\onhelp.htm
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\uacbbr.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACntybopxvml..dll
c:\windows\system32\UACoynmpkfshs.dll
c:\windows\system32\UACxnstijwivn.dat
c:\windows\system32\UACxvkkymtnql.dll
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\wispex.html

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_AntipPro2009_100


((((((((((((((((((((((((( Files Created from 2009-08-20 to 2009-09-20 )))))))))))))))))))))))))))))))
.

2009-09-20 22:14 . 2009-09-20 22:16 79360 ----a-w- c:\documents and settings\Mark Carter\swxcacls.exe
2009-09-20 20:02 . 2009-09-20 20:02 693760 ----a-w- c:\windows\is-MQ5VP.exe
2009-09-20 18:51 . 2009-09-20 18:51 574 ----a-w- C:\cleanup.bat
2009-09-20 18:51 . 2009-09-20 18:51 135168 ----a-w- C:\zip.exe
2009-09-20 15:19 . 2009-09-20 15:19 -------- d-----w- c:\documents and settings\All Users\Application Data\CA-SupportBridge
2009-09-12 19:41 . 2009-09-12 19:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Webroot

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-20 23:10 . 2009-02-15 16:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-20 23:10 . 2005-03-19 18:02 -------- d-----w- c:\program files\Spyware Doctor
2009-09-20 23:10 . 2005-06-27 00:03 -------- d-----w- c:\program files\Microsoft AntiSpyware
2009-09-20 22:21 . 2009-02-15 16:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 18:54 . 2009-02-15 16:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 18:53 . 2009-02-15 16:38 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 01:27 . 2009-06-03 21:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-18 03:06 . 2009-02-15 16:49 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-14 13:31 . 2005-03-17 12:18 90112 ----a-w- c:\windows\DUMP5461.tmp
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 14:08 . 2004-08-04 12:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 16:18 . 2004-08-04 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2005-03-19 01:04 . 2005-03-19 01:01 56 --sh--r- c:\windows\system32\AAD55A613D.sys
2005-03-19 01:04 . 2005-03-19 01:01 3766 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Launchpad"="c:\program files\ATI Multimedia\main\launchpd.exe" [2003-06-13 106574]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2005-06-10 1095680]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 4662776]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-16 1200128]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 36975]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2005-02-18 784896]
"VSOCheckTask"="c:\progra~1\mcafee.com\vso\mcmnhdlr.exe" [2005-09-22 143360]
"VirusScan Online"="c:\progra~1\mcafee.com\vso\mcvsshld.exe" [2005-03-19 196608]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\mcagent.exe" [2005-09-22 303104]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"Lexmark X1100 Series"="c:\program files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 57344]
"gcasServ"="c:\program files\Microsoft AntiSpyware\gcasServ.exe" [2005-06-24 473928]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2005-10-27 3296256]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2009-07-23 1181064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2005-07-19 331776]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator..exe" - c:\windows\system32\narrator.exe [2004-08-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2002-1-9 200704]
Hawking HWU54D Utility.lnk - c:\program files\Hawking Technologies\Hawking_HWU54D_Utility\WlanUtil.exe [2005-3-18 393216]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0SsiEfr.e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [8/17/2009 11:05 PM 130936]
R0 SSI;SSI;c:\windows\system32\drivers\ssi.sys [11/12/2005 4:18 AM 78336]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/15/2009 12:49 PM 348752]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [3/18/2005 4:01 PM 188506]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [3/18/2005 4:01 PM 31003]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [3/18/2005 4:01 PM 9882]
R3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [3/19/2005 1:44 PM 23888]
S3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;c:\windows\system32\drivers\rt2500usb.sys [3/17/2005 7:39 PM 140416]
S3 P1001VID;Creative WebCam (WDM);c:\windows\system32\drivers\P1001Vid.sys [6/16/2006 8:01 PM 311684]
S3 ZD1211U(Hawking Technologies);Hawking Technologies HWU54D Hi-Gain Wireless-G USB Adapter(Hawking Technologies);c:\windows\system32\drivers\ZD1211U.sys [3/18/2005 3:48 PM 233472]
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;c:\windows\system32\ZDBRGSYS.sys [3/18/2005 3:38 PM 19200]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2009-08-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo..com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: microsoft.com\office
FF - ProfilePath - c:\documents and settings\Mark Carter\Application Data\Mozilla\Firefox\Profiles\rwmmucfs.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/|https://www.facebook.com/home.php?|http://twitter.com/|http://www.yahoo.com/
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05..dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-net - c:\windows\system32\net.net
HKLM-Run-13335794 - c:\documents and settings\All Users\Application Data\13335794\13335794.exe
HKLM-Run-CmPCIaudio - CMICNFG3.CPL
HKU-Default-Run-Advanced Virus Remover - c:\program files\AdvancedVirusRemover\PAVRM.exe
AddRemove-Basketball Playbook_is1 - f:\bball play maker playbook\unins000.exe
AddRemove-Win Antivirus Pro - c:\program files\Windows Antivirus Pro\AntiSpyware_Uninstall.exe
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-20 19:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'lsass.exe'(688)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2772)
kbiwkmxrevmylt.dll 10000000 36864 \\?\globalroot\systemroot\system32\kbiwkmxrevmylt.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\McAfee.com\Agent\Mcdetect.exe
c:\progra~1\McAfee.com\Agent\McTskshd.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\Spyware Doctor\pctsSvc.exe
c:\program files\Webroot\Spy Sweeper\WRSSSDK.exe
c:\windows\system32\wdfmgr..exe
c:\windows\system32\wwSecure.exe
c:\windows\system32\rundll32.exe
c:\progra~1\McAfee.com\VSO\McVSEscn.exe
c:\program files\Java\jre1.5.0_05\bin\jucheck.exe
c:\program files\Lexmark X1100 Series\lxbkbmon.exe
c:\program files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\MICROS~4\rapimgr.exe
c:\progra~1\McAfee.com\VSO\mcvsftsn.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-09-20 19:18 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-20 23:18

Pre-Run: 80,624,820,224 bytes free
Post-Run: 80,873,996,288 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

353 --- E O F --- 2009-09-16 21:47

Thank you soo much!! My pc seems to be back to normal. Is there anything else that I need to do?

Hi

Please Re-run SystemLook

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
crypt32.dll
gpedit.dll
rundll32.exe
sfc.dll
svchost.exe
kbiwkmxrevmylt.dll
desot.exe

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:31 on 20/09/2009 by Mark Carter (Administrator - Elevation successful)

========== filefind ==========

Searching for "crypt32.dll"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\crypt32.dll --a--- 599040 bytes [00:11 14/04/2008] [00:11 14/04/2008] BDAAF79DD63F194434D31A74B9BB8B77
C:\WINDOWS\system32\crypt32.dll --a--- 597504 bytes [12:00 04/08/2004] [12:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18
C:\WINDOWS\system32\dllcache\crypt32.dll --a--c 597504 bytes [12:00 04/08/2004] [12:00 04/08/2004] EFC958396A7A7EF7E6D4A52B97512E18

Searching for "gpedit.dll"
No files found.

Searching for "rundll32.exe"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\rundll32.exe --a--- 33280 bytes [00:12 14/04/2008] [00:12 14/04/2008] 037B1E7798960E0420003D05BB577EE6
C:\WINDOWS\system32\dllcache\rundll32.exe --a--c 33280 bytes [12:00 04/08/2004] [12:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF
C:\WINDOWS\system32\rundll32.exe --a--- 33280 bytes [12:00 04/08/2004] [12:00 04/08/2004] DA285490BBD8A1D0CE6623577D5BA1FF

Searching for "sfc.dll"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\sfc.dll --a--- 5120 bytes [00:12 14/04/2008] [00:12 14/04/2008] 96E1C926F22EE1BFBAE82901A35F6BF3
C:\WINDOWS\system32\dllcache\sfc.dll --a--c 5120 bytes [12:00 04/08/2004] [12:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E
C:\WINDOWS\system32\sfc.dll --a--- 5120 bytes [12:00 04/08/2004] [12:00 04/08/2004] E8A12A12EA9088B4327D49EDCA3ADD3E

Searching for "svchost.exe"
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\svchost.exe --a--- 14336 bytes [00:12 14/04/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\dllcache\svchost.exe --a--c 14336 bytes [12:00 04/08/2004] [12:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\system32\svchost.exe --a--- 14336 bytes [12:00 04/08/2004] [12:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716

Searching for "kbiwkmxrevmylt.dll"
No files found.

Searching for "desot.exe"
No files found.

-=End Of File=-

Hi

!! NOTICE: This instruction is for this user only. If you are a lurker reading this, do not attempt it. !!

Please navigate to C:\Program Files\Malwarebytes' Anti-Malware and attempt to rename it to iexplore.exe
Then, double-click that to launch MBAM. Attempt to run a scan, and post the results in your next reply. If you cannot run the scan, please let me know.

Malwarebytes will not let me crl+c to copy the results. there are 19 results. Ranging from trojans to rogue installer to rootkit to trojanfake alert. Should I remove all of them?

Acutally I just figured out how to do it. here they are

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/20/2009 11:27:50 PM
mbam-log-2009-09-20 (23-27-40).txt

Scan type: Full Scan (C:\|)
Objects scanned: 162253
Time elapsed: 1 hour(s), 48 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\cleanup.exe.vir (Trojan.Banker) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\AdvancedVirusRemover\PAVRM.exe.vir (Rogue.Installer) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\Windows Antivirus Pro.exe.vir (Antivirus2009) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Windows Antivirus Pro\tmp\dbsinit.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir (Antivirus2009) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\svchast.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dddesot.dll.vir (Rogue.ASC-AntiSpyware) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\net.net.vir (Trojan.Downloader) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\uacbbr.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACntybopxvml.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxvkkymtnql.dll.vir (Trojan.Agent) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Trojan.FakeAlert) -> No action taken.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACmpmbuetabr.sys.vir (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{5BCEF8EE-F24B-4F19-A9D8-BC954DD9F7C9}\RP665\A0194184.sys (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{5BCEF8EE-F24B-4F19-A9D8-BC954DD9F7C9}\RP665\A0194185.dll (Trojan.Agent) -> No action taken.
C:\System Volume Information\_restore{5BCEF8EE-F24B-4F19-A9D8-BC954DD9F7C9}\RP665\A0194187.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\kbiwkmwkalxryu.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\drivers\kbiwkmlsbpjnbo.sys (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\Mark Carter\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.AntiVirus360) -> No action taken.
C:\WINDOWS\system32\kbiwkmmujuqoey.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\kbiwkmujcbklpn.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\kbiwkmxewyftmd.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\kbiwkmxrevmylt.dll (Rootkit.TDSS) -> No action taken.

Hi

Re-run Malwarebytes in a quick scan, please remove selected, then post a new Malwarebytes log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 2

9/21/2009 7:37:41 AM
mbam-log-2009-09-21 (07-37-41).txt

Scan type: Quick Scan
Objects scanned: 99143
Time elapsed: 7 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\kbiwkmwkalxryu.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\drivers\kbiwkmlsbpjnbo.sys (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Mark Carter\Application Data\Microsoft\Internet Explorer\Quick Launch\A360.lnk (Rogue.AntiVirus360) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbiwkmmujuqoey.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmujcbklpn.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmxewyftmd.dat (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\kbiwkmxrevmylt.dll (Rootkit.TDSS) -> Delete on reboot.

Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks

I downloaded icesword and when I tried to open it, the warning box popped open saying Initalize failed; error code 3

Hi

Please download the Sophos Anti-Rootkit Scanner and save it to your desktop.

You will need to enter your name, e-mail address and location in order to access the download page.

• Once you have downloaded the file, double click the sarsfx icon
  
• Review the licence agreement and click on the Accept button
  
• The scanner will prompt you to extract the files to C:\SOPHTEMP - DO NOT change this location, simply click the Install button
  
  
• Once the files have been extracted; using Windows Explorer, navigate to C:\SOPHTEMP and double click on the blue shield icon called sargui
  
• Ensure that there are checkmarks next to Running processes, Windows registry and Local hard drives, then click Start scan
  
• Allow the program to scan your computer - please be patient as it may take some time
  
• Once the scan has completed a window will pop-up with the results of the scan - click OK to this
  
• In the main window, you will see each of the entries found by the scan (if any)
  
  
  
  • If the scanner generated any warning messages, please click on each warning and copy and paste the text of it into this thread for me to review
    
  • Once you have posted any warning messages here, you can close the scanner and wait for me to get back to you
    
  
  
• If you have not had any warnings, any entries which can be cleaned up by the scanner will have a box with a green checkmark in it next to the entry
  
• To clean up these entries click on the Clean up checked items button
  
• If you accidentally check a file NOT recommended for clean up, you will get a warning message and if necessary can re-select the entries you want to clean up
  
• Once you have cleaned the selected files, you will be prompted to re-boot your computer - please do so
  
• When you have re-booted, please post a fresh HijackThis log into this thread and tell me how your computer is running now
  

Here is what it found: None of them had green check marks in the box.

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Program Files\Microsoft Office\Office12\OART.DLL
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\$hf_mig$\KB969898\spuninst.exe
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

C:\WINDOWS\$hf_mig$\KB971961\update\updspapi.dll
C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\update\update.exe
C:\WINDOWS\system32\kbdhu.dll
C:\WINDOWS\system32\dllcache\dhcpmon.dll
C:\WINDOWS\system32\dllcache\multibox.dll
C:\WINDOWS\system32\dllcache\regedit.exe
C:\WINDOWS\system32\dllcache\unregmp2.exe
C:\Documents and Settings\Mark Carter\Local Settings\Application Data\Apple Computer\Safari\Webpage Previews\329B29EB1E8908C29FF877CDE624AEF0.jpeg
C:\WINDOWS\$hf_mig$\KB896358\spuninst.exe
C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe
C:\WINDOWS\$NtUninstallKB885835$\lsasrv.dll
C:\Documents and Settings\Mark Carter\Local Settings\Application Data\Mozilla\Firefox\Profiles\rwmmucfs.default\Cache\E7F15ED2d01
C:\WINDOWS\$hf_mig$\KB911567\spuninst.exe
C:\Documents and Settings\Mark Carter\Local Settings\Application Data\Mozilla\Firefox\Profiles\rwmmucfs.default\Cache\8AEBF83Bd01
C:\Documents and Settings\Mark Carter\Application Data\Mozilla\Firefox\Profiles\rwmmucfs.default\cookies.sqlite-journal
C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}$BACKUP$\System\wmvdmod.dll
C:\Documents and Settings\Mark Carter\Local Settings\Temporary Internet Files\Content.IE5\E48HM4TR\click2,wNtKAG6sBwDyMS0AAAAAALDSDAAAAAAAAgAIAAYAAAAAAP8AAAAHCgwZEgAAAAAAAKINAAAAAACPJRIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABR[1].com%2F,
C:\Program Files\Ahead\NeroVision\NeroFiles\UDFImporter.dll
C:\Program Files\Ahead\NeroMediaPlayer\API\newtrf.dll
C:\Documents and Settings\Mark Carter\Local Settings\Temporary Internet Files\Content.IE5\JHF7UC5K\ra=JCMG9J30I0YXH6KPQ4B0JFKW1LR0YZ4R&sessioncookie=&cookie=&b[1].html%3Fn%3D735%3Bc%3D1546%2F1274%3Bd%3D16%3Bw%3D800%3Bh%3D600&screen=1024x768&localtime=9%3A42
C:\WINDOWS\system32\S3Disply.dll
C:\Program Files\Common Files\System\Ole DB\MSMDCUBE.DLL
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\vso\CopyToDVD\CopyToCd.exe
C:\Program Files\EasyDVDConverter\dc.ocx
C:\Program Files\FinePixViewer\Upload.exe
C:\Program Files\PIXELA\ImageMixer\Pen.8bf
C:\Program Files\Lexmark X1100 Series\JetOCR.dll
C:\Program Files\Lexmark X1100 Series\lxbkaior.dll
C:\WINDOWS\system32\spool\drivers\w32x86\lexmark_x1100_seriesf27b\LXBKLPA.DLL
C:\WINDOWS\system32\LXBKGF.DLL
C:\Program Files\Webroot\Washer\wwDisp.exe0
C:\WINDOWS\Installer\{9E9AEBE7-58A9-11D8-80AE-00036D10F3B7}\NewShortcut3_1AF432C44D9B11D780A300036D10F3B7.exe
C:\WINDOWS\system32\PreInstall\WinSE\wxp_x86_0409_v1\update.exe.ref
C:\WINDOWS\$hf_mig$\KB894391\update\update.exe
C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe
C:\WINDOWS\$NtUninstallKB941202$\inetcomm.dll
C:\WINDOWS\$hf_mig$\KB931768\update\updspapi.dll
C:\Program Files\XO Player\printplaybook.exe
C:\Documents and Settings\Mark Carter\Local Settings\Temporary Internet Files\Content.IE5\E48HM4TR\DQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZdwQAAAAAAAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&r=0
C:\WINDOWS\$hf_mig$\KB954600\update\update.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\WINDOWS\$NtUninstallKB918118$\msftedit.dll
C:\WINDOWS\$hf_mig$\KB927802\spuninst.exe
C:\Program Files\Google\Google Earth\usp10.dll
C:\WINDOWS\$hf_mig$\KB918899\SP2QFE\wininet.dll
C:\WINDOWS\$hf_mig$\KB933566\spuninst.exe
C:\Program Files\Spyware Doctor\plugins\is-46ROT.tmp
Removable: Yes (but clean up not recommended for this file)
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\mshtml.dll
C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\sqlqp20.dll
C:\WINDOWS\$NtUninstallKB932168$\spuninst\updspapi.dll
C:\WINDOWS\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
C:\Program Files\Microsoft Office\Office12\GrooveDataViewerTool.dll
C:\Program Files\Microsoft Office\Office12\OART.DLL
C:\WINDOWS\$hf_mig$\KB969898\spuninst.exe
C:\WINDOWS\$hf_mig$\KB971961\update\updspapi.dll

Please use the Internet Explorer and run a BitDefender Online scan from Here

• Please check I agree with the Terms and Conditions and click Start Here
  
• You will need to allow an Active X install for the scan to run.
  
• Leave the scanning options at default and click Start Scan
  

Please post the results in your next reply.

Here is what was found:

BitDefender Online Scanner - Real Time Virus Report







Generated at: Wed, Sep 23, 2009 - 20:31:51









Scan Info







Scanned Files


236416

Infected Files


54















Virus Detected







Application.Generic.191750


2

Trojan.Generic.2229864


3

Trojan.Script.173274


1

Trojan.Downloader.Wma.Wimad.K


1

Trojan.Generic.2427128


4

Trojan.Generic.2370903


1

Adware.WinAntivirusPro.D


1

Gen:Trojan.Heur.GM.0400240408


1

Trojan.FakeAV.PZ


1

Trojan.Generic.2230880


1

Trojan.FakeAlert.BIZ


1

Trojan.Downloader.WMA.Wimad.N


1

Trojan.Wimad.Gen.1


15

Trojan.Downloader.Wimad.H


3

Rootkit.TDss.AA


2

Application.Generic.206633


1

Trojan.Generic.2373366


1

Trojan.FakeAlert.BJM


1

Application.Generic.201763


2

MemScan:Trojan.Clicker.MUC


1

Trojan.FakeAV.RP


1

Trojan.Generic.IS.574696


1

Trojan.FakeAntivirus.Gen


1

Adware.Generic.30374


2

Gen:Packed.juW@d0sXOch


1

Trojan.FakeAlert.BJA


1

Trojan.Generic.IS.520533


1

Trojan.Generic.IS.594511


2























This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

Hi

Please download the Kaspersky AVP Tool from Kaspersky-labs.com.

• Save it to your desktop.
  
• Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
  
• Double click the setup file to run it.
  
• Click Next to continue.
  
• It will by default install it to your desktop folder.Click Next.
  
• Hit ok at the prompt for scanning in Safe Mode.
  
• It will then open a box There will be a tab that says Automatic scan.
  
• Under Automatic scan make sure these are checked:
  
  
  • System Memory
    
  • Startup Objects
    
  • Disk Boot Sectors.
    
  • My Computer.
    
  • Also any other drives (Removable that you may have)

After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

• Then click on Scan at the to right hand Corner.
  
• It will automatically Neutralize any objects found.
  
• If some objects are left un-neutralized then click the button that says Neutralize all
  
• If it says it cannot be Neutralized then chooose The delete option when prompted.
  
• After that is done click on the reports button at the bottom and save it to file name it Kas.
  
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

Detected
--------
Status Object
------ ------
deleted: Trojan program Exploit.Java.Gimsh.b File: C:\Documents and Settings\Mark Carter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5404ed29-47a366bc.zip/vmain.class
deleted: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Mark Carter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-1fc6f268-155def0c.zip/vlocal.class
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Mark Carter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-39536c18-59d1418a.zip
disinfected: Trojan program Trojan-Downloader.Java.OpenConnection.at File: C:\Documents and Settings\Mark Carter\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmseria.jar-56150ada-1d0566f0.zip
deleted: Trojan program Trojan-Downloader.WMA.GetCodec.ae File: C:\Documents and Settings\Mark Carter\Shared\fortunate maxwel.wma
deleted: new threat not-a-virus:FraudTool.Win32.WinAntiVirus.kn File: C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir

Hi

Please re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Malwarebytes' Anti-Malware 1.41
Database version: 2857
Windows 5.1.2600 Service Pack 2

9/24/2009 6:59:32 PM
mbam-log-2009-09-24 (18-59-27).txt

Scan type: Quick Scan
Objects scanned: 99642
Time elapsed: 22 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\NetworkNeighborhood\NameSpace\{5172ec55-e786-48a9-8fd9-c27c6a99f249} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbiwkmhylqgikc (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

Please remove those selected, then do the following:
Re-open Malwarebytes, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

Finished and said nothing was found.

Malwarebytes' Anti-Malware 1.41
Database version: 2857
Windows 5.1.2600 Service Pack 2

9/24/2009 10:27:46 PM
mbam-log-2009-09-24 (22-27-46).txt

Scan type: Quick Scan
Objects scanned: 99664
Time elapsed: 16 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hi

your computer is clean

Download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
McAfee VirusScan
McAfee SecurityCenter
``````````````````````````````
Anti-malware/Other Utilities Check:
` of date Spybot installed!
Spybot - Search & Destroy 1.3
Spyware Doctor 6.1
Yahoo! Anti-Spy
Microsoft AntiSpyware
Spy Sweeper
Sophos Anti-Rootkit 1.5.0
CCleaner (remove only)
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
DNS Vulnerability Check:
Unknown. This method cannot test your vulnerability to DNS cache poisoning.

`````````End of Log```````````

Hi

Please upgrade to Windows XP SP3, because it includes all previously released updates. It also includes a small number of new functionalities. Some of the updates that Service Pack 3 provides, you may not have. It is now available via Windows Update.

==

Please read the following information that I have provided, which will help you prevent malicious software in the future. Please keep in mind, malware is a continuous danger on the Internet. It is highly important to stay safe while browsing, to prevent re-infection.

Software recommendations

AntiSpyware

• SpywareBlaster
  SpywareBlaster is a program that prevents spyware from installing on your computer. A tutorial on using SpywareBlaster may be found here.
  
• Spybot - Search & Destroy.
  Spybot - Search & Destroy is a spyware and adware removal program. It also has realtime protection, TeaTimer to help safeguard your computer against spyware. (The link for Spybot - Search & Destroy contains a tutorial that will help you download, install, and begin using Spybot).
  

NOTE: Please keep ALL of these programs up-to-date and run them whenever you suspect a problem to prevent malware problems.

Resident Protection help
A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall, and scanning anti-spyware program at a time. Passive protectors such as SpywareBlaster can be run with any of them.

Rogue programs help
There are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure and looking for anti-spyware programs, you can find out if it is a rogue here:
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Securing your computer

• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
• hpHosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. This prevents your computer from connecting to those sites by redirecting them to 127.0.0.1, which is your local computer's loopback address, meaning it will be difficult to infect your computer in the future.
  

Please consider using an alternate browser
Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScript, can make it even more secure. Opera is another good option.

If you are interested:

• Firefox may be downloaded from here: http://www.getfirefox.com
  
• Opera is available here: http://www.opera.com/download/
  

Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site. Do you have any more questions?

awesome! thank you sooooo much!!!!!

You are welcome.