Ok first of all I just want to say thanks to anybody who has taken the time to read this thread and is willing to lend a hand. A couple of quick things:

I am just an average user and have never encountered malware like I have now. So I have never created logs/scripts as I have seen browsing through other threads here. I handle instruction well though so throw it at me!

I don't know where to begin to show any of you informed users exactly what is wrong with my PC, but I get tons of "Bad Image" messages that say the following:

"The application or DLL kayufegi.dll is not a valid Windows image. Plese check this against your installation diskette"

As a side note, I knew something was wrong when the word "diskette" was used, who the HELL uses the word diskette????

The messages start right at the beginning of the boot, the screen blinks black and the first message comes up and they continue to come up as various files try to load (I am forced to hit "OK")

I then downloaded the Spybot S&D from a flash drive. It installed after a little bit of work, and it recognizes malware but before it can finish scanning I get the following message:

"The system is shutting down. Please save all work in progress and log off. Any unsaved changes will be lost. This shutdown was initiated by NT AUTHORITY/SYSTEM."

It then gives me 1 minute countdown in the middle and has the following message down below

"Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly."


Ok that's about all I've got right now. THANKS very much for any help you can provide.

Looks like I didn't read the instructions beforehand. Sorry about that! Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:24 PM, on 10/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\gjx01r4y21.dll - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\gjx01r4y21.dll
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe /STARTUP
O4 - HKCU\..\Run: [Registry Repair Doctor] C:\Program Files\Registry Repair Doctor\RegistryRepair.exe /startup
O4 - HKCU\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\David\LOCALS~1\Temp\spoolsv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-1005\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe /STARTUP (User '?')
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-1005\..\Run: [Registry Repair Doctor] C:\Program Files\Registry Repair Doctor\RegistryRepair.exe /startup (User '?')
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-1005\..\Run: [Yjafosi8kdf98winmdkmnkmfnwe] C:\DOCUME~1\David\LOCALS~1\Temp\spoolsv.exe (User '?')
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-500\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User '?')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP chain gap (#1 in chain of 27 missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} (CoxSelfInstallAx10 Control) - https://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} (LedaX Control) - https://www.clientspace.com/download/RapidocsX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: kayufegi.dll
O20 - Winlogon Notify: __c00E4584 - C:\WINDOWS\system32\__c00E4584.dat
O22 - SharedTaskScheduler: iukjsf8w3jirojs9f8u3jruhsf78s3jijdif - {A249BC15-23F2-42AD-F4E4-00AAC39C0004} - C:\WINDOWS\system32\gjx01r4y21.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McciServiceHost - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciServiceHost.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Unknown owner - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (file missing)

--
End of file - 9345 bytes

Hello BlackAngler and welcome to the forums here at Spybot S&D!

:welcome:

You definitely have some pretty nasty stuff on here. Let's see if we can get it cleaned up.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Hi Indi,

Thank you for your response. I have no access to the internet with my PC so I downloaded the combofix file to a thumb drive and tried to run it from that. It begins to run, but the previously mentioned shutdown message appears. Any ideas? Thanks again!


David

First let's see if we can get the network working again.

WinsockFix to restore internet connectivity.

http://www.spychecker.com/program/winsockxpfix.html

The Winsockfix Utility will:
· Detect your current Operating System
· Release the IP address, taking you "Offline"
· Reset the TCP stack using Netsh.exe (Windows XP only)
· Delete the current Registry TCP and Winsock Values
· Import new "Working" Registry Values
· Backup any Current "Hosts" file
· Replace the "Hosts" file with a default one
· Reboot the Computer

Instructions:
http://www.home-network-help.com/winsockfix.html

Then see if you can get online.

Indi,

Significant progress! I ran Winsoxfix with no issues. I was then able to gain access to the internet, downloaded and re-ran combofix. Log is pasted below, I can't believe all of the crap it found! As requested, I have also included an updated copy of the Hijack This log. It is running BEAUTIFULLY, probably the best it has in years. Thank you VERY much for your help, I will definitely be making a donation. How do the logs look?

ComboFix 09-10-04.01 - David 10/05/2009 18:28.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.218 [GMT -7:00]
Running from: c:\documents and settings\David\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\David\LOCALS~1\Temp\services.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Application Data\onylik.bin
c:\documents and settings\All Users\Documents\jumibumeh.scr
c:\documents and settings\All Users\Documents\rasucykyw._dl
c:\documents and settings\David\Application Data\lizkavd.exe
c:\documents and settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\David\Application Data\seres.exe
c:\documents and settings\David\Application Data\svcst.exe
c:\documents and settings\David\Application Data\zegylog.bat
c:\documents and settings\David\Cookies\baco.dl
c:\documents and settings\David\Cookies\luwibuf.dl
c:\documents and settings\David\Local Settings\Application Data\raju.com
c:\documents and settings\David\Local Settings\Temporary Internet Files\gobyx.vbs
c:\documents and settings\David\Local Settings\Temporary Internet Files\zuxad._sy
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.cfg
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\dejuz.exe
c:\program files\Common Files\ozawedote.reg
c:\program files\Shared\_lib.dll
c:\program files\Shared\_lib.sig
c:\program files\Shared\lib.dll
c:\program files\Shared\lib.sig
c:\recycler\S-1-5-21-4028359202-722901303-932418291-500
c:\windows\kb913800.exe
c:\windows\mark_32.dll
c:\windows\ModemLog_PANTECH USB Modem .txt
c:\windows\olotizab.reg
c:\windows\system32\__c00E4584.dat
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\ajykevy.sys
c:\windows\system32\daneviha.dll
c:\windows\system32\gjX01r4y21.dll
c:\windows\system32\humu.dl
c:\windows\system32\kayufegi.dll
c:\windows\system32\rabivufu.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\yratogufog.sys
c:\windows\ukesy.inf
c:\windows\wpd99.drv
c:\windows\yjagu.scr
C:\xcrashdump.dat
c:\windows\system32\drivers\str.sys . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://download.yimg.com
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-06 to 2009-10-06 )))))))))))))))))))))))))))))))
.

2009-10-06 01:41 . 2009-10-06 01:41 0 ------w- c:\windows\system32\drivers\str.sys
2009-10-06 01:38 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-10-06 01:38 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-06 01:04 . 2009-10-06 01:04 -------- d-----w- C:\ERDNT
2009-10-04 18:09 . 2009-10-04 18:09 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-03 03:14 . 2009-10-03 03:14 -------- d-----w- c:\program files\Trend Micro
2009-10-03 00:33 . 2009-10-03 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 00:33 . 2009-10-03 00:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-28 11:17 . 2009-09-28 11:19 -------- d-----w- c:\program files\Registry Repair Doctor
2009-09-28 08:43 . 2009-09-28 08:43 19462 ----a-w- c:\program files\Common Files\izylexyt.dat
2009-09-28 08:43 . 2009-09-28 08:43 12763 ----a-w- c:\windows\oloqysito.dat
2009-09-28 07:50 . 2004-05-11 17:56 423784 ----a-w- c:\windows\system32\XceedBkp.dll
2009-09-28 07:50 . 2003-11-19 21:59 512688 ----a-w- c:\windows\system32\XceedCry.dll
2009-09-28 07:50 . 2000-07-15 13:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-09-28 07:50 . 2006-05-31 22:38 10752 ----a-w- c:\windows\system32\md5.dll
2009-09-28 07:50 . 2009-09-28 07:50 -------- d-----w- c:\program files\MalwareSweeper.com
2009-09-28 07:48 . 2009-09-28 07:48 -------- d-----w- c:\program files\Zamaan's Software
2009-09-28 06:09 . 2009-09-28 06:09 77056 ----a-w- c:\windows\system32\drivers\nevietyomhf.sys
2009-09-28 06:09 . 1980-08-17 00:00 28160 ----a-w- C:\rmeprraf.exe.dat
2009-09-26 03:25 . 2009-09-26 03:25 -------- d-----w- c:\program files\iPod
2009-09-26 03:24 . 2009-09-26 03:26 -------- d-----w- c:\program files\iTunes
2009-09-26 03:24 . 2009-09-26 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-26 03:10 . 2009-09-26 03:10 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-18 01:32 . 2009-10-06 01:37 -------- d-----w- c:\program files\Shared
2009-09-14 06:33 . 2009-09-14 06:33 40764 ---ha-w- c:\windows\system32\mlfcache.dat
2009-09-09 03:26 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 05:37 . 2007-04-10 02:54 -------- d-----w- c:\documents and settings\David\Application Data\Apple Computer
2009-09-26 03:25 . 2009-05-19 05:17 -------- d-----w- c:\program files\Common Files\Apple
2009-09-26 03:21 . 2006-07-20 02:40 -------- d-----w- c:\program files\QuickTime
2009-09-26 03:08 . 2009-06-04 05:08 -------- d-----w- c:\program files\Safari
2009-09-14 06:41 . 2009-08-22 04:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-09-14 06:35 . 2006-08-11 20:56 -------- d-----w- c:\program files\Picasa2
2009-09-06 16:43 . 2007-08-07 01:17 -------- d-----w- c:\program files\Common Files\Motive
2009-09-06 16:42 . 2007-08-07 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2009-09-05 23:22 . 2007-08-07 01:22 -------- d-----w- c:\documents and settings\David\Application Data\Motive
2009-09-05 23:21 . 2009-09-05 23:20 -------- d-----w- c:\program files\ATT-SST
2009-09-05 23:14 . 2009-09-05 23:14 -------- d-----w- c:\program files\att-r9
2009-09-05 23:14 . 2009-09-05 23:14 -------- d-----w- c:\program files\ATT-R9-WISE
2009-08-29 02:42 . 2009-05-19 05:18 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-08-29 02:42 . 2009-05-19 05:18 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-08-22 04:02 . 2006-10-10 08:09 -------- d-----w- c:\documents and settings\All Users\Application Data\yahoo!
2009-08-22 04:02 . 2006-10-10 14:26 -------- d--h--r- c:\documents and settings\David\Application Data\yahoo!
2009-08-18 05:19 . 2006-07-19 22:18 49624 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 08:02 . 2009-08-10 08:02 -------- d-----w- c:\program files\MSBuild
2009-08-10 08:02 . 2009-08-10 08:02 -------- d-----w- c:\program files\Reference Assemblies
2009-08-08 05:42 . 2006-07-19 22:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-05 09:01 . 2006-07-19 00:47 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2006-07-19 00:46 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 17:08 . 2006-07-19 00:48 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-04-26 20:59 . 2009-04-26 20:59 336 ----a-w- c:\program files\temp995.bat
.

------- Sigcheck -------

[-] 2005-08-04 01:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\MsPMSNSv.dll
[-] 2005-08-04 01:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\system32\MsPMSNSv.dll
[-] 2005-08-04 01:29 . B9715B9C18BC6C8F4B66733D208CC9F7 . 25088 . . [10.0.3790.4332] . . c:\windows\system32\dllcache\mspmsnsv.dll
[7] 2004-08-10 12:00 . 6EAA72FD9EF993EC1FA9A06DE65105DA . 25088 . . [10.0.3790.3646] . . c:\windows\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}$BACKUP$\System\MsPMSNSv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malware Sweeper"="c:\program files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe" [2007-11-07 696320]
"Registry Repair Doctor"="c:\program files\Registry Repair Doctor\RegistryRepair.exe" [2005-12-04 413696]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]
"BHR"="c:\program files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe" [2006-10-25 9375744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TOSHIBA\\Windows Utilities\\TACSPROP.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\system32\\sessmgr.exe"=

R2 McciServiceHost;McciServiceHost;c:\program files\Common Files\Motive\McciServiceHost.exe [9/5/2009 4:20 PM 296208]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 11:50 AM 98816]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [2/1/2008 4:02 AM 65536]
S3 hamachi_oem;PlayLinc Adapter;c:\windows\system32\drivers\gan_adapter.sys [10/19/2006 11:11 AM 10664]
S3 IO_Memory;IO_Memory;\??\c:\sysprep\Drivers\ioport.sys --> c:\sysprep\Drivers\ioport.sys [?]
S3 PTDMBus;PANTECH USB Modem Composite Device Driver ;c:\windows\system32\drivers\PTDMBus.sys [5/19/2008 8:58 PM 29952]
S3 PTDMMdm;PANTECH USB Modem Drivers ;c:\windows\system32\drivers\PTDMMdm.sys [5/19/2008 8:58 PM 41856]
S3 PTDMVsp;PANTECH USB Modem Serial Port ;c:\windows\system32\drivers\PTDMVsp.sys [5/19/2008 8:58 PM 39936]
S3 PTDMWWAN;PANTECH USB Modem WWAN Driver;c:\windows\system32\drivers\PTDMWWAN.sys [5/19/2008 8:58 PM 59520]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys --> c:\sysprep\PEDrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-03 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-10-03 22:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyServer = proxy:80
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} - hxxps://mycampus.phoenix.edu/secure/PhxStudent15.CAB
DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} - hxxps://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} - hxxps://www.clientspace.com/download/RapidocsX.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Yahoo! Toolbar - c:\progra~1\Yahoo!\Common\UNYT_W~1.EXE



**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(636)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3292)
c:\windows\system32\WININET.dll
gasfkympikxwqj.dll 10000000 32768 \\?\globalroot\systemroot\system32\gasfkympikxwqj.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\windows\system32\DVDRAMSV.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\snmp.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\system32\TODDSrv.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2009-10-06 18:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-06 01:48

Pre-Run: 58,322,944,000 bytes free
Post-Run: 58,373,611,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

234 --- E O F --- 2009-09-09 08:10





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:56:13 PM, on 10/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Motive\McciServiceHost.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck /autofix
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
O4 - HKCU\..\Run: [Malware Sweeper] C:\Program Files\MalwareSweeper.com\MalwareSweeper\MalSwep.exe /STARTUP
O4 - HKCU\..\Run: [Registry Repair Doctor] C:\Program Files\Registry Repair Doctor\RegistryRepair.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-500\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe (User 'Administrator')
O4 - HKUS\S-1-5-21-1284318549-852921245-2569291293-500\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Administrator')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {CB97291A-6603-466A-AA11-80C2EB74CB10} (CoxSelfInstallAx10 Control) - https://install.cox.net/CoxSelfInstall/CoxSelfInstallAx10.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E5C97835-6865-443E-8C33-671D9C71A6D0} (LedaX Control) - https://www.clientspace.com/download/RapidocsX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McciServiceHost - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciServiceHost.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\WINDOWS\system32\TODDSrv.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Unknown owner - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (file missing)

--
End of file - 8063 bytes

I have to apologize BlackAngler. Was just going back through my posts and noticed I hadn't responded here. Don't remember getting email but no excuses.

I'm glad things are running better. But you are still infected. Also,

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)

When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so. There are excellent tools and resources to remove these infections but there are no guarantees.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post and again I apologize for letting this go so long.

BlackAngler, this topic will be archived but if you still require help on this please send a private message to IndiGenus so it can be re-opened. :)