GeekPolice
Would you like to react to this message? Create an account in a few clicks or log in to continue.

GeekPoliceLog in

 


descriptionXP not functioning in normal or safe mode EmptyXP not functioning in normal or safe mode

more_horiz
My tower has stopped working. it started as not being able to access websites, then windows defender giving an error, then the task manager being infected. it also poped up with a virus or something that had those annoying fake pop up alerts. i still was able to run AVG. that scan got me a few trojans but the problem was not resolved. i tried to run Malwarebytes on it but upon install it would not launch and renaming files did not help. i tried to launch safe mode and run malwarebytes from there but had no desktop, start menu, task manager, nothing. just a black screen with "safe mode" in the corners. i attempted a launch in last known good config and achieved basically the same results plus the rather appropriate image of someone dressed as darth vader playing the fiddle that was my desktop background. i have no idea what to do next.

Last edited by mehowick on 30th September 2009, 6:35 am; edited 1 time in total (Reason for editing : bad wording)

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Please download the current version of HijackThis from HERE

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
ok i tried running hijackthis however it gave me an error and shut down. i cant get it restarted through the task manager it says something about not having appropriate permissions.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:


    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll
    cngaudit.dll


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Ok here are my results:



SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 09:16 on 01/10/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [05:45 18/09/2008] [07:56 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll --a--- 181248 bytes [07:56 04/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [17:32 20/05/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [05:45 18/09/2008] [07:56 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll --a--- 407040 bytes [07:56 04/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [17:31 20/05/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [05:46 18/09/2008] [07:56 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll --a--- 56320 bytes [07:56 04/08/2004] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [17:52 20/05/2004] [00:11 14/04/2008] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\eventlog.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Avenger results:


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************



i think whatever has caused this has hit my netbook as well probably while the two computers were still networked. should I start a new thread with this problem or can this be taken care of with the same or similar steps?
Update: cannot run hijackthis on netbook, but i can run system look. should i look for the same files?

Last edited by mehowick on 2nd October 2009, 3:14 am; edited 1 time in total (Reason for editing : update!)

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.
I will only deal with one machine at a time if they are the same user, otherwise it will get really confusing.

We'll deal with this first, then the other machine.

Can you download Hijack This on the machine we are currently working on? the file causing the block problem is gone now, so you should be able to.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
cool i totaly understand that. confusion only ads to the frustration

HijackThis log file:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ?? 08:48:33, on 2009/10/3
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: C:\WINDOWS\system32\yhs783ijfo3fe.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll (file missing)
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [40408b53] rundll32.exe "C:\WINDOWS\system32\hksyltfq.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
O4 - HKLM\..\Run: [2238284318] C:\Documents and Settings\Administrator\Application Data\2238284318\2238284318.exe
O4 - HKLM\..\Run: [7712371694] C:\Documents and Settings\Administrator\Application Data\7712371694\7712371694.exe
O4 - HKLM\..\Run: [jamamezub] Rundll32.exe "c:\windows\system32\yokamuye.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311T reƖ Assistant.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - https://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138748809187
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: lejivaya.dll c:\windows\system32\yokamuye.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: ljJDWQIX - ljJDWQIX.dll (file missing)
O20 - Winlogon Notify: mlttufql - mlttufql.dll (file missing)
O20 - Winlogon Notify: tuvUNhFU - tuvUNhFU.dll (file missing)
O21 - SSODL: zesogigif - {85695fa7-bfc7-49c0-ae22-a93d7a74c946} - c:\windows\system32\yokamuye.dll
O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {85695fa7-bfc7-49c0-ae22-a93d7a74c946} - c:\windows\system32\yokamuye.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe (file missing)

--
End of file - 12783 bytes

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: C:\WINDOWS\system32\yhs783ijfo3fe.dll - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll (file missing)
    O4 - HKLM\..\Run: [winupdate.exe] C:\WINDOWS\system32\winupdate.exe
    O4 - HKLM\..\Run: [2238284318] C:\Documents and Settings\Administrator\Application Data\2238284318\2238284318.exe
    O4 - HKLM\..\Run: [7712371694] C:\Documents and Settings\Administrator\Application Data\7712371694\7712371694.exe
    O4 - HKLM\..\Run: [jamamezub] Rundll32.exe "c:\windows\system32\yokamuye.dll",a
    O20 - AppInit_DLLs: lejivaya.dll c:\windows\system32\yokamuye.dll
    O20 - Winlogon Notify: ljJDWQIX - ljJDWQIX.dll (file missing)
    O20 - Winlogon Notify: mlttufql - mlttufql.dll (file missing)
    O20 - Winlogon Notify: tuvUNhFU - tuvUNhFU.dll (file missing)
    O21 - SSODL: zesogigif - {85695fa7-bfc7-49c0-ae22-a93d7a74c946} - c:\windows\system32\yokamuye.dll
    O22 - SharedTaskScheduler: jso8joigm409gopgmrlgd - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\yhs783ijfo3fe.dll (file missing)
    O22 - SharedTaskScheduler: mujuzedij - {85695fa7-bfc7-49c0-ae22-a93d7a74c946} - c:\windows\system32\yokamuye.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
O21 - SSODL: zesogigif - {85695fa7-bfc7-49c0-ae22-a93d7a74c946} - c:\windows\system32\yokamuye.dll
O22 - SharedTaskScheduler: mujuzedij - {85695fa7-bfc7-49c0-ae22-a93d7a74c946} - c:\windows\system32\yokamuye.dll
[/b]

I could not remove/fix these two files as they did not show up in the second scan. similar files did show up but i did not fix them just in case. Tried to install mbam and it gave an error. ran third HiJackThis scan. Here are the results:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at ?? 07:47:48, on 2009/10/4
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [40408b53] rundll32.exe "C:\WINDOWS\system32\hksyltfq.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [1595671417] C:\Documents and Settings\Administrator\Application Data\1595671417\1595671417.exe
O4 - HKLM\..\Run: [9642813372] C:\Documents and Settings\Administrator\Application Data\9642813372\9642813372.exe
O4 - HKLM\..\Run: [jamamezub] Rundll32.exe "c:\windows\system32\taleyuwo.dll",a
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Cleanup] C:\cleanup.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [RecordNow!] (User '?')
O4 - HKUS\S-1-5-21-2367046221-998718354-2122322601-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - https://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://host.cycore.net/plugins/windows/ie/Cult3D_IE_5.3.0.228.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138748809187
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_3us.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/linklauncher/MotUtil.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: lejivaya.dll c:\windows\system32\taleyuwo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: viyozakij - {a4ace07e-b831-4638-8bcf-86d3ac4f7284} - c:\windows\system32\fumupofo.dll
O21 - SSODL: wojerawan - {d29adbc8-2b42-4619-9e45-72b764fe8439} - c:\windows\system32\taleyuwo.dll
O22 - SharedTaskScheduler: gahurihor - {a4ace07e-b831-4638-8bcf-86d3ac4f7284} - c:\windows\system32\fumupofo.dll
O22 - SharedTaskScheduler: jugezatag - {d29adbc8-2b42-4619-9e45-72b764fe8439} - c:\windows\system32\taleyuwo.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Windows Defender (WinDefend) - Unknown owner - C:\Program Files\Windows Defender\MsMpEng.exe
O23 - Service: SMX regulator (Windows SMX) - Unknown owner - C:\WINDOWS\winsmx.exe (file missing)

--
End of file - 12506 bytes

Last edited by mehowick on 5th October 2009, 7:39 am; edited 2 times in total

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.

  • Download combofix from here
    Link 1
    Link 2

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:

    XP not functioning in normal or safe mode CF_download_FF

    XP not functioning in normal or safe mode CF_download_rename

    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    XP not functioning in normal or safe mode Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    XP not functioning in normal or safe mode Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
I ran combofix twice. the first time it initiated with errors and also poped up an avenger log from one of the past few days. it restarted into normal mode which did not function. upon restart into safe mode there was no .txt file. I therefore ran it again and got the log file below but no restart. i hope this contains the information you need.



ComboFix 09-10-04.01 - Administrator 2009/10/05 20:35.2.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Owner\Application Data\seres.exe
c:\documents and settings\Owner\Application Data\svcst.exe
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\temp.dmf
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zap3A4.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zap3A6.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zap3A8.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zap3AA.tmp
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\zap3AC.tmp
C:\Documents
c:\program files\Accoona
c:\program files\Accoona\tbquiesce.exe
c:\program files\Common
c:\program files\Mozilla Firefox\extensions\{3441BB4E-78D2-434E-BA69-033B4B49C324}
c:\program files\Mozilla Firefox\extensions\{3441BB4E-78D2-434E-BA69-033B4B49C324}\chrome.manifest
c:\program files\Mozilla Firefox\extensions\{3441BB4E-78D2-434E-BA69-033B4B49C324}\chrome\content\overlay.xul
c:\program files\Mozilla Firefox\extensions\{3441BB4E-78D2-434E-BA69-033B4B49C324}\install.rdf
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\windows Police Pro.exe
c:\recycler\S-1-5-21-0243936033-3052116371-381863308-1811
c:\recycler\S-1-5-21-4449761734-7507166403-137233722-4680
c:\recycler\S-1-5-21-699545166-1250842568-2445657903-1003
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Installer\12ef3.msi
c:\windows\Installer\1b5862e0.msp
c:\windows\Installer\22541999.msp
c:\windows\Installer\2c69f65.msi
c:\windows\Installer\47cd1b7a.msp
c:\windows\Installer\8abe8.msi
c:\windows\jestertb.dll
c:\windows\system32\~.exe
c:\windows\system32\18467.exe
c:\windows\system32\41.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\gfhkj.bak1
c:\windows\system32\gfhkj.bak2
c:\windows\system32\gfhkj.ini
c:\windows\system32\gfhkj.ini2
c:\windows\system32\gfhkj.tmp
c:\windows\system32\huzisopo.dll
c:\windows\system32\jopisado.exe
c:\windows\system32\kogekebe.dll
c:\windows\system32\lejivaya.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\ovfsthxgxuwoele.dat
c:\windows\system32\ovfsthxpiyojdfj.dat
c:\windows\system32\p2hhr.bat
c:\windows\system32\qftlyskh.ini
c:\windows\system32\tEgiQqru.ini
c:\windows\system32\tEgiQqru.ini2
c:\windows\system32\thniuoju.ini
c:\windows\system32\tmqlyrlu.ini
c:\windows\system32\UCdMpqss.ini
c:\windows\system32\UCdMpqss.ini2
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\yJRBayay.ini
c:\windows\system32\yJRBayay.ini2
c:\windows\Tasks\qabmtoks.job
c:\windows\viassary-hp.reg
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 01:13 . 2009-10-06 01:13 -------- d-----w- c:\windows\LastGood
2009-10-06 00:53 . 2009-10-06 01:11 -------- d-----w- C:\Combo-Fix.txt
2009-10-05 21:38 . 2009-10-05 21:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\3353943843
2009-10-05 09:37 . 2009-10-05 09:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\0071353322
2009-10-04 21:37 . 2009-10-04 21:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\9642813372
2009-10-04 09:37 . 2009-10-04 09:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\1595671417
2009-10-03 17:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 17:40 . 2009-10-05 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 17:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-03 09:37 . 2009-10-03 09:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\7712371694
2009-10-01 21:38 . 2009-10-01 21:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\2238284318
2009-10-01 03:53 . 2009-10-01 03:53 -------- d-----w- c:\program files\Trend Micro
2009-09-30 13:37 . 2009-09-30 13:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 13:24 . 2009-09-30 13:24 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-30 13:23 . 2009-09-30 13:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-30 12:56 . 2009-09-30 12:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-30 05:20 . 2009-09-30 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 03:27 . 2009-10-01 02:35 0 ----a-w- c:\windows\win32k.sys
2009-09-30 03:27 . 2009-09-30 03:27 5632 ----a-w- C:\rlswn.exe
2009-09-30 03:27 . 2009-09-30 03:27 110080 ----a-w- C:\mtlff.exe
2009-09-30 03:27 . 2009-09-30 03:27 53248 ----a-w- C:\yonm.exe
2009-09-30 03:27 . 2009-09-30 03:27 46592 ----a-w- C:\nqxbk.exe
2009-09-09 07:29 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 01:11 . 2005-04-18 04:46 793 --sha-w- c:\windows\system32\mmf.sys
2009-09-30 05:38 . 2008-10-19 05:02 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-30 04:51 . 2006-12-09 19:38 -------- d-----w- c:\program files\Windows Defender
2009-09-30 03:44 . 2008-10-19 05:02 -------- d-----w- c:\program files\DNA
2009-09-05 12:32 . 2009-09-05 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-09-05 07:24 . 2004-07-13 20:28 -------- d-----w- c:\program files\DivX
2009-09-05 07:23 . 2009-09-05 07:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-14 13:36 . 2009-02-01 15:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 13:36 . 2008-07-04 05:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 13:36 . 2007-01-01 08:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 13:03 . 2005-03-08 04:25 -------- d-----w- c:\documents and settings\Owner\Application Data\BitTorrent
2009-08-07 00:24 . 2004-08-11 22:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2004-05-20 17:33 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-05-20 17:51 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2004-05-20 17:33 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-01 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-05-20 17:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-11 06:45 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-03-08 23:41 . 2005-03-08 23:41 56 --sha-r- c:\windows\system32\82F1638CF7.sys
2009-07-02 09:37 . 2009-07-02 09:37 39424 --sha-w- c:\windows\system32\bahabona.dll
2009-07-04 21:37 . 2009-07-04 21:37 38912 --sha-w- c:\windows\system32\bezizipu.dll
2009-07-04 09:37 . 2009-07-04 09:37 1048611 --sha-w- c:\windows\system32\difebebu.exe
2009-06-30 03:35 . 2009-06-30 03:35 90624 --sha-w- c:\windows\system32\dipakule.dll
2009-07-05 21:37 . 2009-07-05 21:37 1048611 --sha-w- c:\windows\system32\fonodate.exe
2009-07-04 09:37 . 2009-07-04 09:37 90624 --sha-w- c:\windows\system32\fumupofo.dll
2009-06-30 03:35 . 2009-06-30 03:35 46592 --sha-w- c:\windows\system32\hazafupe.exe
2009-07-01 09:37 . 2009-07-01 09:37 52736 --sha-w- c:\windows\system32\kavumefe.dll
2005-03-08 23:41 . 2005-03-08 23:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-01 09:36 . 2009-07-01 09:36 52736 --sha-w- c:\windows\system32\kiratero.dll
2009-07-03 09:37 . 2009-07-03 09:37 1048099 --sha-w- c:\windows\system32\laweyohe.exe
2009-07-01 21:37 . 2009-07-01 21:37 39424 --sha-w- c:\windows\system32\lunegogu.dll
2009-07-01 09:36 . 2009-07-01 09:36 1047588 --sha-w- c:\windows\system32\nalusihe.exe
2009-07-03 21:37 . 2009-07-03 21:37 38912 --sha-w- c:\windows\system32\nominenu.dll
2009-07-05 09:37 . 2009-07-05 09:37 1048611 --sha-w- c:\windows\system32\sokofosu.exe
2009-06-30 03:35 . 2009-06-30 03:35 1082404 --sha-w- c:\windows\system32\sonewibu.exe
2009-07-05 09:37 . 2009-07-05 09:37 38912 --sha-w- c:\windows\system32\sovowuyi.dll
2009-07-03 09:37 . 2009-07-03 09:37 38912 --sha-w- c:\windows\system32\tufujavu.dll
2009-06-30 03:35 . 2009-06-30 03:35 39424 --sha-w- c:\windows\system32\vomuganu.dll
2009-07-01 09:36 . 2009-07-01 09:36 39424 --sha-w- c:\windows\system32\wifenoho.dll
2009-07-02 21:37 . 2009-07-02 21:37 38912 --sha-w- c:\windows\system32\wozupeva.dll
2009-07-03 09:37 . 2009-07-03 09:37 90112 --sha-w- c:\windows\system32\wurebupe.dll
2009-07-05 21:37 . 2009-07-05 21:37 39424 --sha-w- c:\windows\system32\yadebene.dll
2009-07-04 09:37 . 2009-07-04 09:37 38912 --sha-w- c:\windows\system32\yiriyidi.dll
2009-07-03 21:37 . 2009-07-03 21:37 90112 --sha-w- c:\windows\system32\yokamuye.dll
2009-07-01 09:36 . 2009-07-01 09:36 91136 --sha-w- c:\windows\system32\yovalono.dll
2009-06-30 03:35 . 2009-06-30 03:35 1082404 --sha-w- c:\windows\system32\yuhisona.exe
2009-07-01 21:37 . 2009-07-01 21:37 1048100 --sha-w- c:\windows\system32\yunohoyo.exe
2009-07-04 21:37 . 2009-07-04 21:37 1048611 --sha-w- c:\windows\system32\zayitala.exe
.

------- Sigcheck -------

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe

[7] 2008-04-14 . 6D4FEB43EE538FC5428CC7F0565AA656 . 56320 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\eventlog.dll
[7] 2004-08-04 . 82B24CB70E5944E6E34662205A2A5B78 . 55808 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\eventlog.dll

c:\windows\system32\eventlog.dll ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b819be00-f942-45f0-b106-84b148d3208e}]
2009-07-01 09:37 52736 --sha-w- c:\windows\system32\kavumefe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe" [2004-04-01 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-14 2007832]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Wireless Assistant.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2004-12-17 7708672]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{a4ace07e-b831-4638-8bcf-86d3ac4f7284}"= "c:\windows\system32\fumupofo.dll" [2009-07-04 90624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"viyozakij"= {a4ace07e-b831-4638-8bcf-86d3ac4f7284} - c:\windows\system32\fumupofo.dll [2009-07-04 90624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 13:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=
"c:\\Program Files\\VectorWorks 10.1\\VectorWorks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\InterVideo\\Quake III Arena\\quake3.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"=
"c:\\StubInstaller.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\BitTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:TCP"= 7000:TCP:btdownloadergui

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-14 335240]
R1 wsjhiqhq;wsjhiqhq;c:\windows\system32\drivers\wsjhiqhq.sys [x]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-14 297752]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-04-18 2560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R2 Windows SMX;SMX regulator;c:\windows\winsmx.exe [x]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKCU-Run-RecordNow! - (no file)
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
HKLM-Run-40408b53 - c:\windows\system32\hksyltfq.dll
HKLM-Run-jamamezub - c:\windows\system32\kogekebe.dll
HKLM-Run-fopugakeli - huzisopo.dll
HKU-Default-Run-DWQueuedReporting - c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe
SharedTaskScheduler-{0157002e-2da5-4d3e-91da-68c61ce0eee6} - c:\windows\system32\kogekebe.dll
SSODL-fihuvasip-{0157002e-2da5-4d3e-91da-68c61ce0eee6} - c:\windows\system32\kogekebe.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 20:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367046221-998718354-2122322601-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:c5,ff,57,75,f6,0a,be,c2
"3"=hex:48,0c,95,15,2b,0f,5c,2f,6f,53,7a,16,ea,05,fc,41,9c,cb,d7,93,ce,0b,b9,
e9,f3,cb,59,bb,1e,cc,c3,d2,4b,65,38,f1,04,90,3a,67,09,52,da,db,9c,b2,36,eb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95,
f9
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:07,96,b3,35,9e,5a,1a,0b
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-10-06 20:44
ComboFix-quarantined-files.txt 2009-10-06 01:44

Pre-Run: 75,978,805,248 bytes free
Post-Run: 75,941,343,232 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=,1,3,4,5
355 --- E O F --- 2009-09-29 05:08

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\win32k.sys
    C:\rlswn.exe
    C:\mtlff.exe
    C:\yonm.exe
    C:\nqxbk.exe
    c:\windows\system32\bahabona.dll
    c:\windows\system32\bezizipu.dll
    c:\windows\system32\difebebu.exe
    c:\windows\system32\dipakule.dll
    c:\windows\system32\fonodate.exe
    c:\windows\system32\fumupofo.dll
    c:\windows\system32\hazafupe.exe
    c:\windows\system32\kavumefe.dll
    c:\windows\system32\kiratero.dll
    c:\windows\system32\laweyohe.exe
    c:\windows\system32\lunegogu.dll
    c:\windows\system32\nalusihe.exe
    c:\windows\system32\nominenu.dll
    c:\windows\system32\sokofosu.exe
    c:\windows\system32\sonewibu.exe
    c:\windows\system32\sovowuyi.dll
    c:\windows\system32\tufujavu.dll
    c:\windows\system32\vomuganu.dll
    c:\windows\system32\wifenoho.dll
    c:\windows\system32\wozupeva.dll
    c:\windows\system32\wurebupe.dll
    c:\windows\system32\yadebene.dll
    c:\windows\system32\yiriyidi.dll
    c:\windows\system32\yokamuye.dll
    c:\windows\system32\yovalono.dll
    c:\windows\system32\yuhisona.exe
    c:\windows\system32\yunohoyo.exe
    c:\windows\system32\zayitala.exe

    Folder::
    c:\documents and settings\Administrator\Application Data\3353943843
    c:\documents and settings\Administrator\Application Data\0071353322
    c:\documents and settings\Administrator\Application Data\9642813372
    c:\documents and settings\Administrator\Application Data\1595671417
    c:\documents and settings\Administrator\Application Data\7712371694
    c:\documents and settings\Administrator\Application Data\2238284318

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b819be00-f942-45f0-b106-84b148d3208e}]
    [-HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
    "{a4ace07e-b831-4638-8bcf-86d3ac4f7284}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "viyozakij"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "UpdatesDisableNotify"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\Java\\j2re1.4.2_03\\bin\\javaw.exe"=-
    "c:\\Program Files\\Java\\jre1.5.0_02\\bin\\javaw.exe"=-
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
    "c:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"=-
    "c:\\StubInstaller.exe"=-
    "c:\\Program Files\\DNA\\btdna.exe"=-
    "c:\\Documents and Settings\\Owner\\Desktop\\BitTorrent.exe"=-
    "c:\\WINDOWS\\system32\\taskmgr.exe"=-

    Driver::
    wsjhiqhq
    Windows SMX

    RegLock::
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

    FCopy::
    c:\windows\$NtServicePackUninstall$\eventlog.dll | c:\windows\system32\eventlog.dll

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    XP not functioning in normal or safe mode Cf010

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
since my computer is not displaying certian images, im not entirely sure i did this right according to the picture. but when i grabbed the .txt file and droped it onto the combo fix icon combo fix started right up. i ended up having to do this twice. the first time it again did not produce a log file. the second time it popped up with warnings that avg was running. i thought it was shut down as it did not appear in the list of processes in the Task Manager. however i cannot figure out how to shut it down. the only thing that hapens when i try to run avg is it enters into a command line scanner since i am in safe mode. i cant access the regular program to de-activate the active scanner. i shut down combo fix the second time.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
ok i got confirmation from avg that the scanner does not run in safe mode i went ahead and did another scan. these are the results:

ComboFix 09-10-06.03 - Administrator 2009/10/06 21:42.5.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.886.1033.18.447.289 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"C:\mtlff.exe"
"C:\nqxbk.exe"
"C:\rlswn.exe"
"c:\windows\system32\bahabona.dll"
"c:\windows\system32\bezizipu.dll"
"c:\windows\system32\difebebu.exe"
"c:\windows\system32\dipakule.dll"
"c:\windows\system32\fonodate.exe"
"c:\windows\system32\fumupofo.dll"
"c:\windows\system32\hazafupe.exe"
"c:\windows\system32\kavumefe.dll"
"c:\windows\system32\kiratero.dll"
"c:\windows\system32\laweyohe.exe"
"c:\windows\system32\lunegogu.dll"
"c:\windows\system32\nalusihe.exe"
"c:\windows\system32\nominenu.dll"
"c:\windows\system32\sokofosu.exe"
"c:\windows\system32\sonewibu.exe"
"c:\windows\system32\sovowuyi.dll"
"c:\windows\system32\tufujavu.dll"
"c:\windows\system32\vomuganu.dll"
"c:\windows\system32\wifenoho.dll"
"c:\windows\system32\wozupeva.dll"
"c:\windows\system32\wurebupe.dll"
"c:\windows\system32\yadebene.dll"
"c:\windows\system32\yiriyidi.dll"
"c:\windows\system32\yokamuye.dll"
"c:\windows\system32\yovalono.dll"
"c:\windows\system32\yuhisona.exe"
"c:\windows\system32\yunohoyo.exe"
"c:\windows\system32\zayitala.exe"
"c:\windows\win32k.sys"
"C:\yonm.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\windows\$NtServicePackUninstall$\eventlog.dll --> c:\windows\system32\eventlog.dll
.
((((((((((((((((((((((((( Files Created from 2009-09-07 to 2009-10-07 )))))))))))))))))))))))))))))))
.

2009-10-06 23:50 . 2009-10-07 00:02 -------- d-----w- C:\Combo-Fix9963C
2009-10-06 22:35 . 2009-10-06 22:35 -------- d-----w- c:\windows\LastGood
2009-10-06 22:23 . 2004-08-04 07:56 55808 ----a-w- c:\windows\system32\eventlog.dll
2009-10-06 01:34 . 2009-10-06 22:18 -------- d-----w- C:\Combo-Fix
2009-10-06 00:53 . 2009-10-06 01:11 -------- d-----w- C:\Combo-Fix.txt
2009-10-03 17:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 17:40 . 2009-10-05 00:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 17:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 03:53 . 2009-10-01 03:53 -------- d-----w- c:\program files\Trend Micro
2009-09-30 13:37 . 2009-09-30 13:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 13:24 . 2009-09-30 13:24 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-30 13:23 . 2009-09-30 13:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-30 12:56 . 2009-09-30 12:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-30 05:20 . 2009-09-30 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-09 07:29 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-06 22:32 . 2005-04-18 04:46 793 --sha-w- c:\windows\system32\mmf.sys
2009-09-30 05:38 . 2008-10-19 05:02 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-30 04:51 . 2006-12-09 19:38 -------- d-----w- c:\program files\Windows Defender
2009-09-30 03:44 . 2008-10-19 05:02 -------- d-----w- c:\program files\DNA
2009-09-05 12:32 . 2009-09-05 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-09-05 07:24 . 2004-07-13 20:28 -------- d-----w- c:\program files\DivX
2009-09-05 07:23 . 2009-09-05 07:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-14 13:36 . 2009-02-01 15:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 13:36 . 2008-07-04 05:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 13:36 . 2007-01-01 08:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 00:24 . 2004-08-11 22:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-05-20 17:33 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-05-20 17:51 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-02-01 02:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-05-20 17:33 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-01 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-05-20 17:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 15:08 . 2004-08-11 06:45 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-03-08 23:41 . 2005-03-08 23:41 56 --sha-r- c:\windows\system32\82F1638CF7.sys
2005-03-08 23:41 . 2005-03-08 23:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 00:12 . !HASH: COULD NOT OPEN FILE !!!!! . 1033728 . . [------] . . c:\windows\explorer.exe
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ServicePackFiles\i386\explorer.exe
[-] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2009-10-06_01.42.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:48 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
+ 2009-10-06 22:35 . 2008-10-16 20:06 208744 c:\windows\LastGood\system32\muweb.dll
+ 2009-10-06 22:35 . 2008-10-16 20:06 268648 c:\windows\LastGood\system32\mucltui.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe" [2004-04-01 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Wireless Assistant.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2004-12-17 7708672]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 13:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\VectorWorks 10.1\\VectorWorks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\InterVideo\\Quake III Arena\\quake3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:TCP"= 7000:TCP:btdownloadergui

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-14 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-14 297752]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-04-18 2560]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-06 21:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367046221-998718354-2122322601-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:c5,ff,57,75,f6,0a,be,c2
"3"=hex:48,0c,95,15,2b,0f,5c,2f,6f,53,7a,16,ea,05,fc,41,9c,cb,d7,93,ce,0b,b9,
e9,f3,cb,59,bb,1e,cc,c3,d2,4b,65,38,f1,04,90,3a,67,09,52,da,db,9c,b2,36,eb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95,
f9
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:07,96,b3,35,9e,5a,1a,0b
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-10-07 21:53
ComboFix-quarantined-files.txt 2009-10-07 02:53
ComboFix2.txt 2009-10-07 00:02
ComboFix3.txt 2009-10-06 01:44

Pre-Run: 75,786,301,440 bytes free
Post-Run: 75,753,889,792 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=,1,3,4,5
248 --- E O F --- 2009-09-29 05:08

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
so just for shits and giggles i attempted to run MBAM following combo fix and it acutally ran successfuly! heres the results:

Malwarebytes' Anti-Malware 1.41
Database version: 2917
Windows 5.1.2600 Service Pack 3 (Safe Mode)

2009/10/6 ?? 10:44:36
mbam-log-2009-10-06 (22-44-36).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 241392
Time elapsed: 43 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 116

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6c8ab177-7b09-4f5c-9e6d-82eaa765430c} (Adware.Accoona) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7ed983c3-faac-400c-bbd4-f519d74ff188} (Adware.Accoona) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f80c1d93-0d22-436e-963e-9d3156997a4e} (Adware.Accoona) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Accoona (Adware.Accoona) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
C:\Combo-Fix.txt\Combo-Fix.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\mtlff.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\nqxbk.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\rlswn.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\yonm.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\0071353322\0071353322.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\1595671417\1595671417.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\2238284318\2238284318.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\3353943843\3353943843.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\7712371694\7712371694.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\9642813372\9642813372.exe.vir (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\seres.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Owner\Application Data\svcst.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Windows Police Pro\windows Police Pro.exe.vir (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bahabona.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bezizipu.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\difebebu.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\dipakule.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fonodate.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fumupofo.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hazafupe.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\huzisopo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kavumefe.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kiratero.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kogekebe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\laweyohe.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lejivaya.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lunegogu.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nalusihe.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nominenu.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sokofosu.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sonewibu.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sovowuyi.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tufujavu.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vomuganu.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wifenoho.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wozupeva.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wurebupe.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yadebene.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yiriyidi.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yokamuye.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yovalono.dll.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yuhisona.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yunohoyo.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zayitala.exe.vir (Worm.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0175222.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0176295.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0176296.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0176297.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0176337.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0176338.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0176339.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179341.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179343.exe (Trojan.Banker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179368.exe (Worm.Pushbot) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179372.exe (Backdoor.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179403.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179404.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179410.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179415.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179420.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179422.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179430.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179460.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179461.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179544.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179594.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179597.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179600.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179603.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179606.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179609.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179610.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179611.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179612.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179613.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179614.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179615.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179616.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179617.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179618.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179619.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179620.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179621.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179622.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179623.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179624.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179625.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179626.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179627.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179628.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179629.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179630.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179631.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179632.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179633.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179634.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179635.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179636.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179637.dll (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179638.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179639.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179640.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1670\A0179642.exe (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0179707.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0179769.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0179837.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0179906.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0180068.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0180121.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{70304573-AB33-4072-AA96-4495C42D15E3}\RP1672\A0180292.sys (Worm.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Desktop\winlogon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.
Nearly done now.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Uninstal Manager List:

AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 6.0 Professional
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Creative Suite
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
Adobe Reader 7.0.5
Adobe Shockwave Player 11
Adobe SVG Viewer 3.0
Agere Systems PCI Soft Modem
Anvil Studio
AOL Instant Messenger
Apple Mobile Device Support
Apple Software Update
AutoCAD 2006 - English
Autodesk Express Viewer
AVG Free 8.5
AVI to MPEG Converter
BSPlayer
Combined Community Codec Pack 2005-12-21 (Remove Only)
Command & Conquer The First Decade
dBpowerAMP Music Converter
Direct Show Ogg Vorbis Filter (remove only)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
EVGA Display Driver
ffdshow (remove only)
Garmin Communicator Plugin
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
HP Deskjet Preloaded Printer Drivers
HP Image Zone 3.5
HP Image Zone Plus 3.5
HP Instant Support
HP Organize
HP Photo & Imaging 3.5 - HP Devices
HP PSC & OfficeJet 3.5
HP Software Update
HPIZ350
Huffyuv AVI lossless video codec (Remove Only)
intelliScore Polyphonic Demo
InterVideo WinDVD Creator 2
InterVideo WinDVD Player
iPod for Windows 2005-03-23
iPod for Windows 2005-10-12
iPod for Windows 2005-11-17
iPod shuffle Reset Utility
IsoBuster 1.8
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java 2 Runtime Environment, SE v1.4.2_05
Java 2 Runtime Environment, SE v1.4.2_06
Java(TM) 6 Update 15
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Matroska Pack - Lazy Man's MKV 0.9.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
MidiNotate Composer
MobileMe Control Panel
Morgan Stream Switcher
Mozilla Firefox (3.0.7)
MP3 Converter Simple
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NETGEAR Wireless Adapter WG311T
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
Photosmart 140,240,7200,7600,7700,7900 Series
Python 2.2 combined Win32 extensions
Python 2.2.1
QuickTime
RealPlayer
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
TallStick TS-AudioToMIDI 3.20 (remove only)
Toolkit View(HP)
Trillian
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB973815)
Updates from HP
VC80CRTRedist - 8.0.50727.762
VDMSound
VectorWorks 10.1
VectorWorks Viewer 10.1
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
VideoLAN VLC media player 0.8.6c
Viewpoint Manager (Remove Only)
Viewpoint Media Player
ViviCam 3350
Windows Defender Signatures
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 8
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinRAR archiver
XviD Video Codec 24062003-1 (Koepi's developer build)
Yahoo! Anti-Spy

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 2
    J2SE Runtime Environment 5.0 Update 4
    J2SE Runtime Environment 5.0 Update 6
    J2SE Runtime Environment 5.0 Update 8
    Java 2 Runtime Environment, SE v1.4.2_03
    Java 2 Runtime Environment, SE v1.4.2_05
    Java 2 Runtime Environment, SE v1.4.2_06
    Java(TM) 6 Update 15
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
    Viewpoint Manager (Remove Only)
    Viewpoint Media Player

How is the machine running now?

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
its the same. no start menu no desktop no access to the task manager when booted normally or in safe mode as user. no start menu or desktop when started in safe mode as admin. it wouldnt let me uninstall the java programs. it gave me an error about windows installer service not working in safe mode or being improperly installed.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hmm, sounds like Explorer isn't working too well.

Boot to normal mode, and when it comes on blank, can you open the Task Manager by using alt/ctrl/del.

Under the Applications tab, press "New Task...", and type in "explorer" in the run field.

Does your Desktop load now?

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
ctrl alt del doesnt work. it gives me an error saying the admin has blocked this function or something to that effect.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.
I want to check something.

Submit a file for analysis.

  1. Please visit this website: Jotti's Malware Scanner
  2. Press the "Browse" button and locate the following file in bold:
    C:\WINDOWS\explorer.exe
  3. Press the "Submit File button to submit the file for analysis.
  4. Allow it to be scanned, it could take a few minutes depending on server load.
  5. Copy and paste the result back here.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
This is what it had in the status bar:

File is empty (0 bytes)!

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
bump

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hmm, lets get a fresh copy of that file from a backup you have on your machine.

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    FCopy::
    c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe

  4. Save this as CFScript.txt, in the same location as ComboFix.exe

    XP not functioning in normal or safe mode Cf010

  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
ComboFix 09-10-12.03 - Administrator 2009/10/12 22:34.6.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.886.1033.18.447.267 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\iniasd.txt

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-13 to 2009-10-13 )))))))))))))))))))))))))))))))
.

2009-10-07 02:41 . 2009-10-07 02:53 -------- d-----w- C:\Combo-Fix23555C
2009-10-06 23:50 . 2009-10-07 00:02 -------- d-----w- C:\Combo-Fix9963C
2009-10-06 22:23 . 2004-08-04 07:56 55808 ------w- c:\windows\system32\eventlog.dll
2009-10-06 01:34 . 2009-10-06 22:18 -------- d-----w- C:\Combo-Fix
2009-10-06 00:53 . 2009-10-06 01:11 -------- d-----w- C:\Combo-Fix.txt
2009-10-03 17:40 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-03 17:40 . 2009-10-07 03:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-03 17:40 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-01 03:53 . 2009-10-01 03:53 -------- d-----w- c:\program files\Trend Micro
2009-09-30 13:37 . 2009-09-30 13:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-30 13:24 . 2009-09-30 13:24 -------- d-sh--w- c:\documents and settings\Administrator\IECompatCache
2009-09-30 13:23 . 2009-09-30 13:23 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-09-30 12:56 . 2009-09-30 12:56 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2009-09-30 05:20 . 2009-09-30 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 01:30 . 2005-04-18 04:46 793 --sha-w- c:\windows\system32\mmf.sys
2009-10-09 01:26 . 2004-07-13 20:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-30 05:38 . 2008-10-19 05:02 -------- d-----w- c:\documents and settings\Owner\Application Data\DNA
2009-09-30 04:51 . 2006-12-09 19:38 -------- d-----w- c:\program files\Windows Defender
2009-09-30 03:44 . 2008-10-19 05:02 -------- d-----w- c:\program files\DNA
2009-09-05 12:32 . 2009-09-05 12:32 -------- d-----w- c:\documents and settings\Owner\Application Data\DivX
2009-09-05 07:24 . 2004-07-13 20:28 -------- d-----w- c:\program files\DivX
2009-09-05 07:23 . 2009-09-05 07:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-08-14 13:36 . 2009-02-01 15:17 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-14 13:36 . 2008-07-04 05:16 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 13:36 . 2007-01-01 08:37 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-07 00:24 . 2004-08-11 22:48 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-07 00:24 . 2004-08-11 22:48 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-07 00:24 . 2005-05-26 11:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-07 00:24 . 2004-08-11 22:48 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-07 00:24 . 2004-05-20 17:33 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-07 00:24 . 2004-05-20 17:51 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-07 00:23 . 2004-08-11 22:48 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-07 00:23 . 2006-02-01 02:02 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-07 00:23 . 2005-05-26 09:19 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-07 00:23 . 2004-05-20 17:33 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 15:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-02-01 19:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-05-20 17:51 58880 ----a-w- c:\windows\system32\atl.dll
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2005-03-08 23:41 . 2005-03-08 23:41 56 --sha-r- c:\windows\system32\82F1638CF7.sys
2005-03-08 23:41 . 2005-03-08 23:41 1890 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-06_01.42.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-11 22:48 . 2009-08-07 00:24 35552 c:\windows\system32\dllcache\wups.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
"BackupNotify"="c:\program files\HP\Digital Imaging\bin\backupnotify.exe" [2004-01-09 32768]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Acme.PCHButton"="c:\progra~1\HPINST~1\Pavilion\XPHNABS4EN\plugin\bin\pchbutton.exe" [2004-04-01 159744]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2004-03-25 1732608]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-06 2023704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-04-28 185896]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-03-04 88209]
"AlcxMonitor"="ALCXMNTR.EXE" - c:\windows\ALCXMNTR.EXE [2004-09-07 57344]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-12 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-11-16 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
AutoCAD Startup Accelerator.lnk - c:\program files\Common Files\Autodesk Shared\acstart16.exe [2005-3-5 10872]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-9-16 237568]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG311T Wireless Assistant.lnk - c:\program files\NETGEAR\WG311T\wlancfg5.exe [2004-12-17 7708672]
Updates from HP.lnk - c:\program files\Updates from HP\137903\Program\BackWeb-137903.exe [2004-4-1 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-14 13:36 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\VectorWorks 10.1\\VectorWorks.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\InterVideo\\Quake III Arena\\quake3.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7000:TCP"= 7000:TCP:btdownloadergui

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-14 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-14 297752]
R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2005-04-18 2560]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 16512]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
DPF: ActiveGS.cab - hxxp://www.virtualapple.com/activegs.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-12 22:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2367046221-998718354-2122322601-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b7,6d,c5,fe,2e,8f,b3,40,ba,ea,4d,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\A4C6DC1D7052183A161573F7BA846387]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:c5,ff,57,75,f6,0a,be,c2
"3"=hex:48,0c,95,15,2b,0f,5c,2f,6f,53,7a,16,ea,05,fc,41,9c,cb,d7,93,ce,0b,b9,
e9,f3,cb,59,bb,1e,cc,c3,d2,4b,65,38,f1,04,90,3a,67,09,52,da,db,9c,b2,36,eb,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:5d,56,03,e5,33,b3,79,9e,4c,e0,61,6e,a5,60,95,f1,1d,da,60,89,a3,a0,95,
f9
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:07,96,b3,35,9e,5a,1a,0b
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
Completion time: 2009-10-13 22:45
ComboFix-quarantined-files.txt 2009-10-13 03:45
ComboFix2.txt 2009-10-07 02:53
ComboFix3.txt 2009-10-07 00:02
ComboFix4.txt 2009-10-06 01:44

Pre-Run: 75,604,992,000 bytes free
Post-Run: 75,660,136,448 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=,1,3,4,5
207 --- E O F --- 2009-09-29 05:08

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

XP not functioning in normal or safe mode CF_Cleanup

This will also reset your restore points.

How is the machine running now?

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
its actually running reƖative well considering its an old un-upgraded pos. a little slower than normal i think and i cannot re-install windows defender. i uninstalled it when i thought a bad update was the cause of the problem. oops. it says something about insufficent permissions. i still cannot access the task manager. it still says it has been disabled by the admin. audio and video seem to work just fine.

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.
See here for Task Manager problem.
http://www.tips4pc.com/Computer_tips_and_tricks/disable_or_enable_the_task_manager.htm

The above guide is for disabling Task Manager, but follow the steps and turn it back on. Smile...

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
this also managed not to work, but i somehow found a way around it. i deleted the old defender file and then it let me re-install. ran mbam and got rid of the stuff it found, re-booted and pow i can get to the task manager. all seems to be good with it finally!

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Ah, good then.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck. Big Grin

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
thank you thank you thank you! i shall certainly try to stick to firefox from now on though i dont like the UI as much as IE. ive created the restore point so it should be good to go. i just have one question and another foray to ask of you. first is there a program or a setting in windows out there like carbonite or mozi that will instead of an on-line back up, automatically backup files to an external hard drive when it is connected? also as i mentioned earlier, could you also help with my net book that is getting assulted by police pro even in safe mode?

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
Hello.
For backup software, I know a few, but they don't do it automatically like your wanting, so it's probably better to ask in software forum for that, other techs on this forum will know some different programs than I do.

As for your net book, sure I'll help, just open a new topic for another machine. Smile...

descriptionXP not functioning in normal or safe mode EmptyRe: XP not functioning in normal or safe mode

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum