PDA

View Full Version : Time for house cleaning instructions and help.



tankedsecondchance
2011-05-15, 02:02
Hello its been a long time since i was last here. 9You last visited: 09-07-16 at 09:32) :oops: "I'm Back" any how I have maybe three computers that most likely have some related issues and some usb flash devices that get moved around a good bit.This one has software which i purchased in maybe 2003 it came along as part of the package deal from dell.It will take me a while to dig up the key codes form the CD boxes to find them.

this PC started to run slow and hang up, then everything would just freeze-up task manager would not open, internet explorer would close and none of the virus tools would run or update i was also getting a regular message that my virtual memory was maxed out.

my son copied my files to a card.then dumped the system and started to re-install everything. internet explorer wont download,i cant get into safe mode now at all. I tried to download a couple of other virus tools you mention on-line here. but they fail to download or crash after they start.

my son partitioned off the drive into two areas, one for my old information that he copied. another for trying to install everything new into.


I think the recovery console also is gone.

male-ware bytes kept finding and fixing the same five registry key issues. spy-bot found and fixed a couple of items after we updated it. we share a common router which is wired for two pcs and have a lap top which uses the WiFi

thanks in advance

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Me at 1:01:11.67 on Sun 05/15/2011
Internet Explorer: 6.0.2900.2180
.
============== Running Processes ===============
.
C:\Documents and Settings\Me.TIM\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows2\system32\igfxtray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com (http://www.spywareinfo.com)
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\me.tim\applic~1\mozilla\firefox\profiles\6tv5e5pb.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R? BCM42XX;Broadcom iLine10(tm) Network Adapter Driver
S? abp470n5;abp470n5
S? cmdAgent;COMODO Internet Security Helper Service
S? cmdGuard;COMODO Internet Security Sandbox Driver
S? cmdHlp;COMODO Internet Security Helper Driver
.
=============== Created Last 30 ================
.
2011-05-14 22:00:50 -------- d--h--w- C:\VritualRoot
2011-05-14 22:00:50 -------- d-----w- c:\documents and settings\me.tim\..
2011-05-14 22:00:50 -------- d-----w- c:\documents and settings\me.tim\.
2011-05-14 22:00:50 -------- d-----w- C:\Documents and Settings
2011-05-14 19:49:10 -------- d-----w- c:\docume~1\me.tim\applic~1\WinPatrol
2011-05-13 22:10:51 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Identities
2011-05-13 10:39:56 -------- d-----w- c:\windows2\system32\CatRoot_bak
2011-05-13 00:03:00 -------- d-----w- c:\windows2\system32\KB905474
2011-05-11 20:20:34 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Google
2011-05-11 11:44:17 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 09:43:49 272128 -c----w- c:\windows2\system32\dllcache\bthport.sys
2011-05-11 09:42:28 153088 -c----w- c:\windows2\system32\dllcache\triedit.dll
2011-05-11 09:42:14 3555328 -c----w- c:\windows2\system32\dllcache\moviemk.exe
2011-05-11 09:40:55 743936 -c----w- c:\windows2\system32\dllcache\helpsvc.exe
2011-05-11 09:33:16 1172480 -c----w- c:\windows2\system32\dllcache\msxml3.dll
2011-05-11 09:32:40 655872 -c----w- c:\windows2\system32\dllcache\mstscax.dll
2011-05-11 09:29:25 352640 -c----w- c:\windows2\system32\dllcache\srv.sys
2011-05-11 09:28:32 90112 ----a-w- c:\windows2\unvise32.exe
2011-05-11 09:26:57 454016 -c----w- c:\windows2\system32\dllcache\mrxsmb.sys
2011-05-11 09:26:38 470528 -c----w- c:\windows2\system32\dllcache\aclayers.dll
2011-05-11 09:09:11 331776 -c----w- c:\windows2\system32\dllcache\msadce.dll
2011-05-11 09:00:31 332800 -c----w- c:\windows2\system32\dllcache\netapi32.dll
2011-05-11 09:00:01 -------- d-----w- c:\windows2\system32\PreInstall
2011-05-11 08:59:40 -------- d--h--w- c:\windows2\$hf_mig$
2011-05-11 08:57:39 215552 -c----w- c:\windows2\system32\dllcache\wordpad.exe
2011-05-11 08:56:11 85504 -c----w- c:\windows2\system32\dllcache\cabview.dll
2011-05-11 08:56:04 177664 -c----w- c:\windows2\system32\dllcache\wintrust.dll
2011-05-11 06:58:04 -------- d-----w- c:\windows2\system32\SoftwareDistribution
2011-05-11 06:53:27 -------- d-----w- c:\windows2\pss
2011-05-11 06:49:43 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2011-05-11 06:49:40 -------- d-----w- c:\program files\Security Task Manager
2011-05-10 20:07:35 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2011-05-10 18:59:19 -------- d-----w- c:\windows2\system32\wbem\AutoRecover
2011-05-10 18:45:59 95424 ------w- c:\windows2\system32\drivers\slnthal.sys
2011-05-10 18:39:43 -------- d-----w- c:\windows2\ServicePackFiles
2011-05-10 18:32:47 19528 ----a-w- c:\windows2\002233_.tmp
2011-05-10 18:32:44 -------- d-----w- c:\windows2\system32\ReinstallBackups
2011-05-10 18:32:24 26488 ----a-w- c:\windows2\system32\spupdsvc.exe
2011-05-10 18:28:44 -------- d-----w- c:\windows2\EHome
2011-05-10 18:22:17 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2011-05-10 18:13:27 -------- d-----w- c:\docume~1\me.tim\applic~1\Malwarebytes
2011-05-10 18:13:21 38224 ----a-w- c:\windows2\system32\drivers\mbamswissarmy.sys
2011-05-10 18:13:20 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-05-10 18:13:14 19288 ----a-w- c:\windows2\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-05-02 17:36:04 284744 ----a-w- c:\windows2\system32\guard32.dll
2011-04-13 22:40:10 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-04-05 05:07:12 3539857 ----a-w- C:\pci_filerecovery.exe
2011-04-05 04:58:17 39950910 ----a-w- C:\C__Users_Administrator_Desktop_PWOSetup173.exe
.
============= FINISH: 1:03:50.54 ===============




.
==== Installed Programs ======================
.
7-Zip 4.65
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
BCM V.92 56K Modem
Broadcom 440x 10/100 Integrated Controller
COMODO Internet Security
E[POD]bot
ERUNT 1.1j
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB981793)
Intel(R) Extreme Graphics Driver
Malwarebytes' Anti-Malware
Microsoft Office FrontPage 2003
Mozilla Firefox 4.0.1 (x86 en-US)
Picasa 3
Security Task Manager 1.8c
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
SoftPerfect Bandwidth Manager Lite 2.9.10
SoundMAX
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Feature Pack for Storage (32-bit) - IMAPI update for Blu-Ray
Windows Installer 3.1 (KB893803)
Windows XP Service Pack 2
.
==== End Of File ===========================

this is from the the tenth of this month.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 5363

Windows 5.1.2600 Service Pack 1
Internet Explorer 6.0.2800.1106

5/10/2011 9:25:47 PM
mbam-log-2011-05-10 (21-25-47).txt

Scan type: Quick scan
Objects scanned: 211263
Time elapsed: 6 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


this one is from 13th

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 6566

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/13/2011 10:23:49 AM
mbam-log-2011-05-13 (10-23-49).txt

Scan type: Quick scan
Objects scanned: 237751
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 6566

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/13/2011 10:23:49 AM
mbam-log-2011-05-13 (10-23-49).txt

Scan type: Quick scan
Objects scanned: 237751
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


this is from a few minutes ago.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 6579

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

5/15/2011 2:35:46 AM
mbam-log-2011-05-15 (02-35-46).txt

Scan type: Quick scan
Objects scanned: 238403
Time elapsed: 8 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Blade81
2011-05-19, 17:32
Hi


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

tankedsecondchance
2011-05-19, 18:59
hi thanks for the help.

combo fix downloaded ran and indicated it installed the recovery console then said it would perform a scan which ran for maybe ten minutes and the computer restarted.I logged in and it had reloaded and launched all the security tools when it restarted. i shut down the programs as combo-fix was trying to scan my system again but it just closed after a couple of minutes.

i looked for a log file for combo fix but i dont see one.

should i try to run it again.


DDS (Ver_11-03-05.01) - NTFSx86
Run by Me at 18:45:45.32 on Thu 05/19/2011
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.246 [GMT 3:00]
.
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS2\system32\svchost.exe -k DcomLaunch
C:\WINDOWS2\system32\svchost.exe -k rpcss
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS2\system32\svchost.exe -k netsvcs
C:\WINDOWS2\System32\svchost.exe -k NetworkService
C:\WINDOWS2\system32\svchost.exe -k LocalService
C:\WINDOWS2\system32\spoolsv.exe
C:\WINDOWS2\System32\svchost.exe -k LocalService
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\wuauclt.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\WINDOWS2\System32\svchost.exe -k HTTPFilter
C:\WINDOWS2\system32\wuauclt.exe
C:\Documents and Settings\Me.TIM\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows2\system32\igfxtray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
StartupFolder: c:\docume~1\me.tim\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\me.tim\applic~1\mozilla\firefox\profiles\6tv5e5pb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows2\system32\drivers\cmdGuard.sys [2011-5-2 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows2\system32\drivers\cmdhlp.sys [2011-5-2 29400]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-5-9 1779792]
R3 abp470n5;abp470n5;\??\c:\windows2\system32\drivers\gelnlo.sys --> c:\windows2\system32\drivers\gelnlo.sys [?]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows2\system32\drivers\bcm42xx5.sys [2011-5-10 54271]
.
=============== Created Last 30 ================
.
2011-05-19 15:19:54 -------- d-sha-r- C:\cmdcons
2011-05-19 15:13:38 98816 ----a-w- c:\windows2\sed.exe
2011-05-19 15:13:38 89088 ----a-w- c:\windows2\MBR.exe
2011-05-19 15:13:38 256512 ----a-w- c:\windows2\PEV.exe
2011-05-19 15:13:38 161792 ----a-w- c:\windows2\SWREG.exe
2011-05-19 15:13:11 -------- d-s---w- C:\ComboFix
2011-05-19 02:21:08 274288 ----a-w- c:\windows2\system32\mucltui.dll
2011-05-19 02:21:08 215920 ----a-w- c:\windows2\system32\muweb.dll
2011-05-19 02:21:08 16736 ----a-w- c:\windows2\system32\mucltui.dll.mui
2011-05-18 19:59:52 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\AskToolbar
2011-05-18 14:59:18 -------- d-----w- c:\windows2\system32\LogFiles
2011-05-16 18:13:24 -------- d-----w- c:\docume~1\me.tim\applic~1\Foxit Software
2011-05-16 18:12:47 -------- d-----w- c:\program files\Ask.com
2011-05-16 18:12:10 -------- d-----w- c:\program files\Foxit Software
2011-05-14 22:00:50 -------- d--h--w- C:\VritualRoot
2011-05-14 19:49:10 -------- d-----w- c:\docume~1\me.tim\applic~1\WinPatrol
2011-05-13 22:10:51 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Identities
2011-05-13 10:39:56 -------- d-----w- c:\windows2\system32\CatRoot_bak
2011-05-13 00:03:00 -------- d-----w- c:\windows2\system32\KB905474
2011-05-11 20:20:34 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Google
2011-05-11 11:44:17 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 09:43:49 272128 -c----w- c:\windows2\system32\dllcache\bthport.sys
2011-05-11 09:42:28 153088 -c----w- c:\windows2\system32\dllcache\triedit.dll
2011-05-11 09:40:55 743936 -c----w- c:\windows2\system32\dllcache\helpsvc.exe
2011-05-11 09:33:16 1172480 -c----w- c:\windows2\system32\dllcache\msxml3.dll
2011-05-11 09:32:40 655872 -c----w- c:\windows2\system32\dllcache\mstscax.dll
2011-05-11 09:29:25 352640 -c----w- c:\windows2\system32\dllcache\srv.sys
2011-05-11 09:28:32 90112 ----a-w- c:\windows2\unvise32.exe
2011-05-11 09:26:57 454016 -c----w- c:\windows2\system32\dllcache\mrxsmb.sys
2011-05-11 09:26:38 470528 -c----w- c:\windows2\system32\dllcache\aclayers.dll
2011-05-11 09:09:11 331776 -c----w- c:\windows2\system32\dllcache\msadce.dll
2011-05-11 09:00:31 332800 -c----w- c:\windows2\system32\dllcache\netapi32.dll
2011-05-11 09:00:01 -------- d-----w- c:\windows2\system32\PreInstall
2011-05-11 08:59:40 -------- d--h--w- c:\windows2\$hf_mig$
2011-05-11 08:56:11 85504 -c----w- c:\windows2\system32\dllcache\cabview.dll
2011-05-11 08:56:04 177664 -c----w- c:\windows2\system32\dllcache\wintrust.dll
2011-05-11 06:58:04 -------- d-----w- c:\windows2\system32\SoftwareDistribution
2011-05-11 06:53:27 -------- d-----w- c:\windows2\pss
2011-05-11 06:49:43 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2011-05-11 06:49:40 -------- d-----w- c:\program files\Security Task Manager
2011-05-10 20:07:35 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2011-05-10 18:59:19 -------- d-----w- c:\windows2\system32\wbem\AutoRecover
2011-05-10 18:45:59 95424 ------w- c:\windows2\system32\drivers\slnthal.sys
2011-05-10 18:39:43 -------- d-----w- c:\windows2\ServicePackFiles
2011-05-10 18:32:47 19528 ----a-w- c:\windows2\002233_.tmp
2011-05-10 18:32:44 -------- d-----w- c:\windows2\system32\ReinstallBackups
2011-05-10 18:32:24 26488 ----a-w- c:\windows2\system32\spupdsvc.exe
2011-05-10 18:28:44 -------- d-----w- c:\windows2\EHome
2011-05-10 18:22:17 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2011-05-10 18:13:27 -------- d-----w- c:\docume~1\me.tim\applic~1\Malwarebytes
2011-05-10 18:13:21 38224 ----a-w- c:\windows2\system32\drivers\mbamswissarmy.sys
2011-05-10 18:13:20 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-05-10 18:13:14 19288 ----a-w- c:\windows2\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-05-02 17:36:04 284744 ----a-w- c:\windows2\system32\guard32.dll
2011-04-13 22:40:10 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-04-05 05:07:12 3539857 ----a-w- C:\pci_filerecovery.exe
2011-04-05 04:58:17 39950910 ----a-w- C:\C__Users_Administrator_Desktop_PWOSetup173.exe
.
============= FINISH: 18:47:50.56 ===============

Blade81
2011-05-19, 19:40
Hi,

Yes, run ComboFix again after disabling protection first.

tankedsecondchance
2011-05-19, 20:54
ok it did run for a while and found a root kit infection and asked to re-boot to fix it and then the computer restarted quickly and the audio sounded good.

but for the life of me i cant find any log file for combo-fix

im on the other computer because a message popped up saying i was in selective start up mode and need to go into normal start i clicked ok it restarted again but gave me only a blue screen at log on

tankedsecondchance
2011-05-19, 21:00
its back in selective start-up mode now, it opened and left me log on

but it gave me a pop up saying combo fix is corrupt.

should i download it again after deleting this one then try to run it again

Blade81
2011-05-19, 21:23
Hi,

Please post the log at this point only.

tankedsecondchance
2011-05-19, 22:46
Combofix has not managed to make any logs prior to crashing and claiming that its corrupt, but it did give me a message telling me something about a possible "virut" infection, which may be causing the problem, if memory serves.

tankedsecondchance
2011-05-20, 00:42
Wow had to try and download combo fix five or six times to get one which was not corrupted. it started and ran it again found some root-kit issue it asked to re-booted to fix it it came back on quickly

it ran through fifty steps which took about thirty minutes.

then it said it was deleting some files and about five folders, but it just set there with no change on the screen after another thirty minutes over one hour in time altogether.

I still don't see any log file for combo-fix, unless you can tell me where to look i think i wont ever discover it on my own or using the search feature on my pc.


here the dds file and zipped attachment

svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\System32\svchost.exe -k HTTPFilter
C:\WINDOWS2\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS2\system32\ctfmon.exe
C:\WINDOWS2\System32\svchost.exe -k imgsvc
C:\Documents and Settings\Me.TIM\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows2\system32\igfxtray.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\me.tim\applic~1\mozilla\firefox\profiles\6tv5e5pb.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows2\system32\drivers\cmdGuard.sys [2011-5-2 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows2\system32\drivers\cmdhlp.sys [2011-5-2 29400]
R3 abp470n5;abp470n5;\??\c:\windows2\system32\drivers\gelnlo.sys --> c:\windows2\system32\drivers\gelnlo.sys [?]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows2\system32\drivers\bcm42xx5.sys [2011-5-10 54271]
S4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-5-9 1779792]
.
=============== Created Last 30 ================
.
2011-05-19 19:47:21 -------- d-s---w- C:\ComboFix
2011-05-19 15:19:54 -------- d-sha-r- C:\cmdcons
2011-05-19 15:13:38 98816 ----a-w- c:\windows2\sed.exe
2011-05-19 15:13:38 89088 ----a-w- c:\windows2\MBR.exe
2011-05-19 15:13:38 256512 ----a-w- c:\windows2\PEV.exe
2011-05-19 15:13:38 161792 ----a-w- c:\windows2\SWREG.exe
2011-05-19 02:21:08 274288 ----a-w- c:\windows2\system32\mucltui.dll
2011-05-19 02:21:08 215920 ----a-w- c:\windows2\system32\muweb.dll
2011-05-19 02:21:08 16736 ----a-w- c:\windows2\system32\mucltui.dll.mui
2011-05-18 19:59:52 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\AskToolbar
2011-05-18 14:59:18 -------- d-----w- c:\windows2\system32\LogFiles
2011-05-16 18:13:24 -------- d-----w- c:\docume~1\me.tim\applic~1\Foxit Software
2011-05-16 18:12:47 -------- d-----w- c:\program files\Ask.com
2011-05-16 18:12:10 -------- d-----w- c:\program files\Foxit Software
2011-05-14 22:00:50 -------- d--h--w- C:\VritualRoot
2011-05-14 19:49:10 -------- d-----w- c:\docume~1\me.tim\applic~1\WinPatrol
2011-05-13 22:10:51 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Identities
2011-05-13 10:39:56 -------- d-----w- c:\windows2\system32\CatRoot_bak
2011-05-13 00:03:00 -------- d-----w- c:\windows2\system32\KB905474
2011-05-11 20:20:34 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Google
2011-05-11 11:44:17 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 09:43:49 272128 -c----w- c:\windows2\system32\dllcache\bthport.sys
2011-05-11 09:42:28 153088 -c----w- c:\windows2\system32\dllcache\triedit.dll
2011-05-11 09:40:55 743936 -c----w- c:\windows2\system32\dllcache\helpsvc.exe
2011-05-11 09:33:16 1172480 -c----w- c:\windows2\system32\dllcache\msxml3.dll
2011-05-11 09:32:40 655872 -c----w- c:\windows2\system32\dllcache\mstscax.dll
2011-05-11 09:29:25 352640 -c----w- c:\windows2\system32\dllcache\srv.sys
2011-05-11 09:28:32 90112 ----a-w- c:\windows2\unvise32.exe
2011-05-11 09:26:57 454016 -c----w- c:\windows2\system32\dllcache\mrxsmb.sys
2011-05-11 09:26:38 470528 -c----w- c:\windows2\system32\dllcache\aclayers.dll
2011-05-11 09:09:11 331776 -c----w- c:\windows2\system32\dllcache\msadce.dll
2011-05-11 09:00:31 332800 -c----w- c:\windows2\system32\dllcache\netapi32.dll
2011-05-11 09:00:01 -------- d-----w- c:\windows2\system32\PreInstall
2011-05-11 08:59:40 -------- d--h--w- c:\windows2\$hf_mig$
2011-05-11 08:56:11 85504 -c----w- c:\windows2\system32\dllcache\cabview.dll
2011-05-11 08:56:04 177664 -c----w- c:\windows2\system32\dllcache\wintrust.dll
2011-05-11 06:58:04 -------- d-----w- c:\windows2\system32\SoftwareDistribution
2011-05-11 06:53:27 -------- d-----w- c:\windows2\pss
2011-05-11 06:49:43 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2011-05-11 06:49:40 -------- d-----w- c:\program files\Security Task Manager
2011-05-10 20:07:35 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2011-05-10 18:59:19 -------- d-----w- c:\windows2\system32\wbem\AutoRecover
2011-05-10 18:45:59 95424 ------w- c:\windows2\system32\drivers\slnthal.sys
2011-05-10 18:39:43 -------- d-----w- c:\windows2\ServicePackFiles
2011-05-10 18:32:47 19528 ----a-w- c:\windows2\002233_.tmp
2011-05-10 18:32:44 -------- d-----w- c:\windows2\system32\ReinstallBackups
2011-05-10 18:32:24 26488 ----a-w- c:\windows2\system32\spupdsvc.exe
2011-05-10 18:28:44 -------- d-----w- c:\windows2\EHome
2011-05-10 18:22:17 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2011-05-10 18:13:27 -------- d-----w- c:\docume~1\me.tim\applic~1\Malwarebytes
2011-05-10 18:13:21 38224 ----a-w- c:\windows2\system32\drivers\mbamswissarmy.sys
2011-05-10 18:13:20 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-05-10 18:13:14 19288 ----a-w- c:\windows2\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-05-02 17:36:04 284744 ----a-w- c:\windows2\system32\guard32.dll
2011-04-13 22:40:10 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-04-05 05:07:12 3539857 ----a-w- C:\pci_filerecovery.exe
2011-04-05 04:58:17 39950910 ----a-w- C:\C__Users_Administrator_Desktop_PWOSetup173.exe
.
============= FINISH: 0:19:20.48 ===============

Blade81
2011-05-20, 07:36
Hi,

Please see in c:\combofix or c:\qoobox folder for ComboFix.txt files.

tankedsecondchance
2011-05-20, 12:51
Hi,


Hi,

Please see in c:\combofix or c:\qoobox folder for ComboFix.txt files.


no I looked in all the folders which were only five, none mentioned combofix and a couple were empty.

Blade81
2011-05-20, 16:37
Hi,

* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked.
Click Scan
Wait for the scan to finish.

tankedsecondchance
2011-05-20, 19:30
internet explorer wont open and it indicates i need to install service pack3 for xp prior to downloading a new version of IE, i have it downloading the service pack now but it will take and hour.

yesterday ie tried to install itself on my desktop it opened. then tried to redirect me to ask com for something. this took place during one of the periods when combo-fix asked to be rebooted.

Blade81
2011-05-20, 21:05
Hi,

It's better to postpone SP3 install till later moment.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

tankedsecondchance
2011-05-20, 23:47
the bad news I have it almost installed already its cleaning up my files if you're still around and want i can try to cancel it.then follow your last instruction.

tankedsecondchance
2011-05-21, 10:41
Hi Blade,

Ok i could not stop the service pack three download it asked to reboot.
(i did nothing) the only option it gives me on the installation wizard is to restart now or later.

i followed your other instruction and downloaded gmer it saved as a file in a folder.which i sent to my desktop, when i double click it only gives me the option to run or cancel.

should i click run, then select the other options you mention for some settings.

I will take no action until you reply.


Hi,

It's better to postpone SP3 install till later moment.


Download GMER (http://www.gmer.net) here by clicking download exe -button and then saving it your desktop:
Double-click .exe that you downloaded
Click rootkit-tab, uncheck files option and then click scan.
Don't check
Show All
box while scanning in progress!
When scanning is ready, click Copy.
This copies log to clipboard
Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.

Blade81
2011-05-21, 11:03
Click run there.

tankedsecondchance
2011-05-21, 11:35
I clicked the program it launched a window opened for a couple of seconds long enough for me to see it had options i could select then the computer crashed

it went to a blue screen error message which read (page_fault_in_nonpage_area. the computer did a physical memory dump.

i had to do a hard shutdown to get out of this screen. It restarted and then a system message in a little black window popped up for only a few seconds and listed some system errors then disappeared from the screen.

another window also opened which said that internet explorer six was being setup it had no options available.

also all of my security programs reactivated

what action would you like me to take now.

thanks

Tim from Egypt




Click run there.

Blade81
2011-05-21, 11:48
Download aswMBR (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it
Click the Scan button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply.

tankedsecondchance
2011-05-21, 12:06
Should i keep all antivirus programs off, or just run it normally?

tankedsecondchance
2011-05-21, 12:14
Here is the information from the tool that you asked for, you were'nt online so i just ran it normally with all tools running, and all tools off. here are both logs


(virus tools on)

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-21 12:08:07
-----------------------------
12:08:07.343 OS Version: Windows 5.1.2600 Service Pack 3
12:08:07.343 Number of processors: 1 586 0x209
12:08:07.343 ComputerName: TIM UserName: Me
12:08:08.062 Initialize success
12:08:17.953 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:08:17.953 Disk 0 Vendor: IC35L090AVV207-0 V23OA66A Size: 76293MB BusType: 3
12:08:19.984 Disk 0 MBR read successfully
12:08:19.984 Disk 0 MBR scan
12:08:19.984 Disk 0 Windows XP default MBR code
12:08:21.984 Disk 0 scanning sectors +156232125
12:08:22.000 Disk 0 scanning C:\WINDOWS2\system32\drivers
12:08:29.843 Service scanning
12:08:30.921 Disk 0 trace - called modules:
12:08:30.953 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:08:30.953 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f85ab8]
12:08:30.953 3 CLASSPNP.SYS[f8578fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fe4d98]
12:08:30.953 Scan finished successfully
12:08:51.703 Disk 0 MBR has been saved successfully to "C:\WINDOWS2\system32\MBR.dat"
12:08:51.750 The log file has been saved successfully to "C:\WINDOWS2\system32\aswMBR.txt"



(virus tools off)

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-21 12:12:34
-----------------------------
12:12:34.453 OS Version: Windows 5.1.2600 Service Pack 3
12:12:34.453 Number of processors: 1 586 0x209
12:12:34.453 ComputerName: TIM UserName: Me
12:12:36.000 Initialize success
12:12:37.609 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:12:37.609 Disk 0 Vendor: IC35L090AVV207-0 V23OA66A Size: 76293MB BusType: 3
12:12:39.640 Disk 0 MBR read successfully
12:12:39.640 Disk 0 MBR scan
12:12:39.640 Disk 0 Windows XP default MBR code
12:12:41.640 Disk 0 scanning sectors +156232125
12:12:41.656 Disk 0 scanning C:\WINDOWS2\system32\drivers
12:12:52.515 Service scanning
12:12:53.609 Disk 0 trace - called modules:
12:12:53.625 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:12:53.625 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f85ab8]
12:12:53.625 3 CLASSPNP.SYS[f8578fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82fe4d98]
12:12:53.625 Scan finished successfully
12:13:16.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Me.TIM\Desktop\MBR.dat"
12:13:16.390 The log file has been saved successfully to "C:\Documents and Settings\Me.TIM\Desktop\aswMBR2.txt"

tankedsecondchance
2011-05-21, 12:19
I am terribly sorry, i seem to have forgotten to attach the files. Here they are.

Blade81
2011-05-21, 12:36
Hi,

aswMBR results look ok. Please post fresh dds logs.

tankedsecondchance
2011-05-21, 13:54
hello again,

I was out for a bit my son should have kept up with your request as made.im sorry about this below is the dds log


Hi,

aswMBR results look ok. Please post fresh dds logs.

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Me at 13:44:58.64 on Sat 05/21/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.135 [GMT 3:00]
.
FW: COMODO Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS2\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS2\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS2\system32\spoolsv.exe
svchost.exe
C:\WINDOWS2\Explorer.EXE
C:\WINDOWS2\system32\ctfmon.exe
C:\WINDOWS2\system32\wuauclt.exe
C:\WINDOWS2\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Me.TIM\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: Foxit PDF Creator Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows2\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IgfxTray] c:\windows2\system32\igfxtray.exe
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\me.tim\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: c:\windows2\system32\guard32.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\me.tim\applic~1\mozilla\firefox\profiles\6tv5e5pb.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\nos\bin\np_gp.dll
.
============= SERVICES / DRIVERS ===============
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows2\system32\drivers\cmdGuard.sys [2011-5-2 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows2\system32\drivers\cmdhlp.sys [2011-5-2 29400]
R3 abp470n5;abp470n5;\??\c:\windows2\system32\drivers\gelnlo.sys --> c:\windows2\system32\drivers\gelnlo.sys [?]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows2\system32\drivers\bcm42xx5.sys [2011-5-10 54271]
S4 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-5-9 1853520]
.
=============== Created Last 30 ================
.
2011-05-20 18:21:44 -------- d-----w- c:\windows2\LastGood.Tmp
2011-05-20 18:02:05 79872 -c----w- c:\windows2\system32\dllcache\msxml6r.dll
2011-05-20 18:02:05 79872 ------w- c:\windows2\system32\msxml6r.dll
2011-05-20 18:02:05 1372672 -c----w- c:\windows2\system32\dllcache\msxml6.dll
2011-05-20 18:02:04 1372672 ------w- c:\windows2\system32\msxml6.dll
2011-05-20 18:02:00 1001472 -c----w- c:\windows2\system32\dllcache\wmvdmoe2.dll
2011-05-20 18:01:57 897024 -c----w- c:\windows2\system32\dllcache\wmspdmoe.dll
2011-05-20 18:01:57 221184 -c----w- c:\windows2\system32\dllcache\wmpns.dll
2011-05-20 18:01:57 1119744 -c----w- c:\windows2\system32\dllcache\wmsdmoe2.dll
2011-05-20 18:01:56 98304 -c----w- c:\windows2\system32\dllcache\wmpband.dll
2011-05-20 18:01:54 114688 -c----w- c:\windows2\system32\dllcache\wmpasf.dll
2011-05-20 18:01:53 168448 -c----w- c:\windows2\system32\dllcache\wmerror.dll
2011-05-20 18:01:53 151552 -c----w- c:\windows2\system32\dllcache\wmidx.dll
2011-05-20 18:01:48 52224 -c----w- c:\windows2\system32\dllcache\mspmsnsv.dll
2011-05-20 18:01:47 384512 -c----w- c:\windows2\system32\dllcache\mp4sdmod.dll
2011-05-20 18:01:47 368640 -c----w- c:\windows2\system32\dllcache\mpvis.dll
2011-05-20 18:01:47 310272 -c----w- c:\windows2\system32\dllcache\mp43dmod.dll
2011-05-20 18:00:19 9728 ------w- c:\windows2\system32\rwnh.dll
2011-05-20 18:00:18 10752 ------w- c:\windows2\system32\smtpapi.dll
2011-05-20 17:58:52 -------- d-----w- c:\windows2\l2schemas
2011-05-20 17:58:50 -------- d-----w- c:\windows2\system32\en
2011-05-20 17:58:49 -------- d-----w- c:\windows2\system32\bits
2011-05-20 17:47:12 33792 -c----w- c:\windows2\system32\dllcache\custsat.dll
2011-05-20 17:45:57 152064 -c----w- c:\windows2\system32\dllcache\shmedia.dll
2011-05-20 17:40:31 -------- d-----w- c:\windows2\network diagnostic
2011-05-20 17:40:27 144384 ------w- c:\windows2\system32\drivers\hdaudbus.sys
2011-05-20 17:40:23 10240 ------w- c:\windows2\system32\drivers\sffp_mmc.sys
2011-05-20 17:32:55 19569 ----a-w- c:\windows2\005491_.tmp
2011-05-20 16:56:32 -------- d-----w- C:\52d9b97d3a4e2130724323
2011-05-20 16:40:56 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2011-05-19 15:19:54 -------- d-sha-r- C:\cmdcons
2011-05-19 15:13:38 98816 ----a-w- c:\windows2\sed.exe
2011-05-19 15:13:38 89088 ----a-w- c:\windows2\MBR.exe
2011-05-19 15:13:38 256512 ----a-w- c:\windows2\PEV.exe
2011-05-19 15:13:38 161792 ----a-w- c:\windows2\SWREG.exe
2011-05-19 02:21:08 274288 ----a-w- c:\windows2\system32\mucltui.dll
2011-05-19 02:21:08 215920 ----a-w- c:\windows2\system32\muweb.dll
2011-05-19 02:21:08 16736 ----a-w- c:\windows2\system32\mucltui.dll.mui
2011-05-18 19:59:52 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\AskToolbar
2011-05-18 14:59:18 -------- d-----w- c:\windows2\system32\LogFiles
2011-05-16 18:13:24 -------- d-----w- c:\docume~1\me.tim\applic~1\Foxit Software
2011-05-16 18:12:47 -------- d-----w- c:\program files\Ask.com
2011-05-16 18:12:10 -------- d-----w- c:\program files\Foxit Software
2011-05-14 22:00:50 -------- d--h--w- C:\VritualRoot
2011-05-14 19:49:10 -------- d-----w- c:\docume~1\me.tim\applic~1\WinPatrol
2011-05-13 22:10:51 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Identities
2011-05-13 00:03:00 -------- d-----w- c:\windows2\system32\KB905474
2011-05-11 20:20:34 -------- d-----w- c:\docume~1\me.tim\locals~1\applic~1\Google
2011-05-11 11:44:17 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 09:43:49 272128 -c----w- c:\windows2\system32\dllcache\bthport.sys
2011-05-11 09:42:46 81920 -c----w- c:\windows2\system32\dllcache\fontsub.dll
2011-05-11 09:42:46 119808 -c----w- c:\windows2\system32\dllcache\t2embed.dll
2011-05-11 09:42:28 153088 -c----w- c:\windows2\system32\dllcache\triedit.dll
2011-05-11 09:40:54 744448 -c----w- c:\windows2\system32\dllcache\helpsvc.exe
2011-05-11 09:33:16 1172480 -c----w- c:\windows2\system32\dllcache\msxml3.dll
2011-05-11 09:32:40 655872 -c----w- c:\windows2\system32\dllcache\mstscax.dll
2011-05-11 09:29:25 353792 -c----w- c:\windows2\system32\dllcache\srv.sys
2011-05-11 09:28:32 90112 ----a-w- c:\windows2\unvise32.exe
2011-05-11 09:26:56 455680 -c----w- c:\windows2\system32\dllcache\mrxsmb.sys
2011-05-11 09:26:39 471552 -c----w- c:\windows2\system32\dllcache\aclayers.dll
2011-05-11 09:15:50 284160 -c----w- c:\windows2\system32\dllcache\pdh.dll
2011-05-11 09:15:49 473600 -c----w- c:\windows2\system32\dllcache\fastprox.dll
2011-05-11 09:15:49 401408 -c----w- c:\windows2\system32\dllcache\rpcss.dll
2011-05-11 09:15:49 227840 -c----w- c:\windows2\system32\dllcache\wmiprvse.exe
2011-05-11 09:15:49 110592 -c----w- c:\windows2\system32\dllcache\services.exe
2011-05-11 09:15:48 730112 -c----w- c:\windows2\system32\dllcache\lsasrv.dll
2011-05-11 09:15:48 714752 -c----w- c:\windows2\system32\dllcache\ntdll.dll
2011-05-11 09:15:48 617472 -c----w- c:\windows2\system32\dllcache\advapi32.dll
2011-05-11 09:15:48 453120 -c----w- c:\windows2\system32\dllcache\wmiprvsd.dll
2011-05-11 09:15:47 2146304 -c----w- c:\windows2\system32\dllcache\ntkrnlmp.exe
2011-05-11 09:15:46 2189952 -c----w- c:\windows2\system32\dllcache\ntoskrnl.exe
2011-05-11 09:15:46 2024448 -c----w- c:\windows2\system32\dllcache\ntkrpamp.exe
2011-05-11 09:09:21 203136 -c----w- c:\windows2\system32\dllcache\rmcast.sys
2011-05-11 09:09:11 331776 -c----w- c:\windows2\system32\dllcache\msadce.dll
2011-05-11 09:00:31 337408 -c----w- c:\windows2\system32\dllcache\netapi32.dll
2011-05-11 09:00:01 -------- d-----w- c:\windows2\system32\PreInstall
2011-05-11 08:59:40 -------- d--h--w- c:\windows2\$hf_mig$
2011-05-11 08:57:43 2560 ------w- c:\windows2\system32\xpsp4res.dll
2011-05-11 08:57:39 215552 -c----w- c:\windows2\system32\dllcache\wordpad.exe
2011-05-11 08:56:11 86016 -c----w- c:\windows2\system32\dllcache\cabview.dll
2011-05-11 08:56:04 177664 -c----w- c:\windows2\system32\dllcache\wintrust.dll
2011-05-11 06:58:04 -------- d-----w- c:\windows2\system32\SoftwareDistribution
2011-05-11 06:53:27 -------- d-----w- c:\windows2\pss
2011-05-11 06:49:43 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\SecTaskMan
2011-05-11 06:49:40 -------- d-----w- c:\program files\Security Task Manager
2011-05-10 20:07:35 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Spybot - Search & Destroy
2011-05-10 18:59:19 -------- d-----w- c:\windows2\system32\wbem\AutoRecover
2011-05-10 18:45:59 95424 ------w- c:\windows2\system32\drivers\slnthal.sys
2011-05-10 18:39:43 -------- d-----w- c:\windows2\ServicePackFiles
2011-05-10 18:32:47 19528 ----a-w- c:\windows2\002233_.tmp
2011-05-10 18:32:44 -------- d-----w- c:\windows2\system32\ReinstallBackups
2011-05-10 18:32:24 100216 ----a-w- c:\windows2\system32\spupdsvc.exe
2011-05-10 18:28:44 -------- d-----w- c:\windows2\EHome
2011-05-10 18:22:17 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2011-05-10 18:13:27 -------- d-----w- c:\docume~1\me.tim\applic~1\Malwarebytes
2011-05-10 18:13:21 38224 ----a-w- c:\windows2\system32\drivers\mbamswissarmy.sys
2011-05-10 18:13:20 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2011-05-10 18:13:14 19288 ----a-w- c:\windows2\system32\drivers\mbam.sys
.
==================== Find3M ====================
.
2011-05-02 17:36:04 284744 ----a-w- c:\windows2\system32\guard32.dll
2011-04-13 22:40:10 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-04-05 04:58:17 39950910 ----a-w- C:\C__Users_Administrator_Desktop_PWOSetup173.exe
.
============= FINISH: 13:47:09.78 ===============

Blade81
2011-05-21, 17:17
Hi,

Try to run ComboFix in safe mode disabling protection software first. If it requests for a reboot make sure system is booted back into safe mode.

tankedsecondchance
2011-05-21, 18:36
Well, i tried entering safe mode but to no avail, my computer is stuck in a crashed state and i cannot use the last known good configuration seeing as it just stays crashed. anyway, this is the error code I'm Receiving *** stop: 0x000000713(0xF894F528, 0xC0000034, 0x00000000, 0x00000000)
So what should i do now, I'm stuck... :confused:

Blade81
2011-05-21, 18:50
Hi,

Does normal mode work?

tankedsecondchance
2011-05-21, 18:52
That's a negative.

tankedsecondchance
2011-05-21, 18:56
OK, i managed to edit the boot file from recovery console, by using the bootcfg command and the rebuild switch.

Blade81
2011-05-21, 19:03
So, what happened after latest DDS run? If I understand it right you hadn't run ComboFix in safe mode before bsod issue appeared.

tankedsecondchance
2011-05-21, 19:12
We never did run it in safe mode, my computer has not been able to access it, taskmanager or the registry editor since my last reinstallation of windows.

Blade81
2011-05-21, 19:23
Hi,

If the system bsods while trying to boot into normal mode too then there's one thing to try.

Reboot into recovery console and run fixmbr command there (allow it to do its job). See if that helps.

I read earlier posts and you mentioned something about Virut. Has some protection software found Virut in its scan (before any ComboFix runs)?

tankedsecondchance
2011-05-21, 19:33
What i meant before about the bootcfg command is that i added a new boot line from there and got back into normal mode, sorry for not being clear enough, as for the virut that was mentioned earlier, no virus programs from what we have ran have shown any trace of it before, but combofix mentioned a possible virut infection when it kept crashing after the reboot.

Blade81
2011-05-21, 21:06
Hi,

1. Download TDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

tankedsecondchance
2011-05-21, 21:23
Hi, i tried to download the file but to no avail, internet explorer and firefox Both cannot reach the site, they both are telling me that the server cannot be found, now what should i do?

tankedsecondchance
2011-05-21, 21:38
Well, i went to majorgeeks and downloaded the may 13th version of Tdsskiller, it ran in 53 seconds, processed 173 files, found nothing and gave me an empty log, what now?

tankedsecondchance
2011-05-21, 21:42
My mistake it showed me an empty screen when the tool was done so i thought the file was empty:oops:, here is the files contents:

2011/05/21 21:35:36.0046 2932 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/21 21:35:38.0109 2932 ================================================================================
2011/05/21 21:35:38.0109 2932 SystemInfo:
2011/05/21 21:35:38.0109 2932
2011/05/21 21:35:38.0109 2932 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/21 21:35:38.0109 2932 Product type: Workstation
2011/05/21 21:35:38.0109 2932 ComputerName: TIM
2011/05/21 21:35:38.0109 2932 UserName: Me
2011/05/21 21:35:38.0109 2932 Windows directory: C:\WINDOWS2
2011/05/21 21:35:38.0109 2932 System windows directory: C:\WINDOWS2
2011/05/21 21:35:38.0109 2932 Processor architecture: Intel x86
2011/05/21 21:35:38.0109 2932 Number of processors: 1
2011/05/21 21:35:38.0109 2932 Page size: 0x1000
2011/05/21 21:35:38.0109 2932 Boot type: Normal boot
2011/05/21 21:35:38.0109 2932 ================================================================================
2011/05/21 21:35:38.0687 2932 Initialize success
2011/05/21 21:35:45.0968 3004 ================================================================================
2011/05/21 21:35:45.0968 3004 Scan started
2011/05/21 21:35:45.0968 3004 Mode: Manual;
2011/05/21 21:35:45.0968 3004 ================================================================================
2011/05/21 21:35:49.0093 3004 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS2\system32\DRIVERS\ACPI.sys
2011/05/21 21:35:49.0390 3004 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS2\system32\drivers\ACPIEC.sys
2011/05/21 21:35:49.0921 3004 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS2\system32\drivers\aec.sys
2011/05/21 21:35:50.0218 3004 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS2\System32\drivers\afd.sys
2011/05/21 21:35:52.0140 3004 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS2\system32\DRIVERS\asyncmac.sys
2011/05/21 21:35:52.0500 3004 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS2\system32\DRIVERS\atapi.sys
2011/05/21 21:35:53.0062 3004 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS2\system32\DRIVERS\atmarpc.sys
2011/05/21 21:35:53.0453 3004 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS2\system32\DRIVERS\audstub.sys
2011/05/21 21:35:53.0750 3004 b57w2k (b9391a83f075351c923c3a37c53af396) C:\WINDOWS2\system32\DRIVERS\b57xp32.sys
2011/05/21 21:35:54.0046 3004 BCM42XX (5ff4a1e41df9f1e328c955caa12cd3b0) C:\WINDOWS2\system32\DRIVERS\bcm42xx5.sys
2011/05/21 21:35:54.0328 3004 bcm4sbxp (b60f57b4d9cdbc663cc03eb8af7ec34e) C:\WINDOWS2\system32\DRIVERS\bcm4sbxp.sys
2011/05/21 21:35:54.0671 3004 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS2\system32\DRIVERS\BCMSM.sys
2011/05/21 21:35:54.0968 3004 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS2\system32\drivers\Beep.sys
2011/05/21 21:35:55.0468 3004 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS2\system32\drivers\cbidf2k.sys
2011/05/21 21:35:56.0000 3004 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS2\system32\drivers\Cdaudio.sys
2011/05/21 21:35:56.0312 3004 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS2\system32\drivers\Cdfs.sys
2011/05/21 21:35:56.0593 3004 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS2\system32\DRIVERS\cdrom.sys
2011/05/21 21:35:57.0187 3004 cmdGuard (cc56fa45ba18904cb04382ae9f52b1a5) C:\WINDOWS2\system32\DRIVERS\cmdguard.sys
2011/05/21 21:35:57.0500 3004 cmdHlp (3a70948ab6e966bdaef2baec1f8ef9d1) C:\WINDOWS2\system32\DRIVERS\cmdhlp.sys
2011/05/21 21:35:58.0890 3004 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS2\system32\DRIVERS\disk.sys
2011/05/21 21:35:59.0328 3004 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS2\system32\drivers\dmboot.sys
2011/05/21 21:35:59.0640 3004 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS2\system32\drivers\dmio.sys
2011/05/21 21:35:59.0937 3004 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS2\system32\drivers\dmload.sys
2011/05/21 21:36:00.0234 3004 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS2\system32\drivers\DMusic.sys
2011/05/21 21:36:00.0781 3004 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS2\system32\drivers\drmkaud.sys
2011/05/21 21:36:01.0093 3004 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS2\system32\drivers\Fastfat.sys
2011/05/21 21:36:01.0406 3004 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS2\system32\DRIVERS\fdc.sys
2011/05/21 21:36:01.0687 3004 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS2\system32\drivers\Fips.sys
2011/05/21 21:36:01.0984 3004 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS2\system32\DRIVERS\flpydisk.sys
2011/05/21 21:36:02.0312 3004 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS2\system32\drivers\fltmgr.sys
2011/05/21 21:36:02.0609 3004 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS2\system32\drivers\Fs_Rec.sys
2011/05/21 21:36:02.0906 3004 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS2\system32\DRIVERS\ftdisk.sys
2011/05/21 21:36:03.0203 3004 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS2\system32\DRIVERS\msgpc.sys
2011/05/21 21:36:03.0593 3004 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS2\system32\DRIVERS\hidusb.sys
2011/05/21 21:36:04.0156 3004 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS2\system32\Drivers\HTTP.sys
2011/05/21 21:36:04.0984 3004 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS2\system32\drivers\i8042prt.sys
2011/05/21 21:36:05.0328 3004 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS2\system32\DRIVERS\ialmnt5.sys
2011/05/21 21:36:05.0640 3004 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS2\system32\DRIVERS\imapi.sys
2011/05/21 21:36:06.0203 3004 Inspect (28c95218d0c19db3a86bb4e53d6586e9) C:\WINDOWS2\system32\DRIVERS\inspect.sys
2011/05/21 21:36:06.0671 3004 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS2\system32\DRIVERS\intelide.sys
2011/05/21 21:36:06.0937 3004 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS2\system32\DRIVERS\intelppm.sys
2011/05/21 21:36:07.0250 3004 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS2\system32\drivers\ip6fw.sys
2011/05/21 21:36:07.0515 3004 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS2\system32\DRIVERS\ipfltdrv.sys
2011/05/21 21:36:08.0031 3004 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS2\system32\DRIVERS\ipinip.sys
2011/05/21 21:36:08.0562 3004 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS2\system32\DRIVERS\ipnat.sys
2011/05/21 21:36:08.0843 3004 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS2\system32\DRIVERS\ipsec.sys
2011/05/21 21:36:09.0156 3004 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS2\system32\DRIVERS\irenum.sys
2011/05/21 21:36:09.0484 3004 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS2\system32\DRIVERS\isapnp.sys
2011/05/21 21:36:09.0765 3004 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS2\system32\DRIVERS\kbdclass.sys
2011/05/21 21:36:10.0046 3004 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS2\system32\DRIVERS\kbdhid.sys
2011/05/21 21:36:10.0406 3004 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS2\system32\drivers\kmixer.sys
2011/05/21 21:36:10.0671 3004 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS2\system32\drivers\KSecDD.sys
2011/05/21 21:36:11.0312 3004 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS2\system32\drivers\mnmdd.sys
2011/05/21 21:36:11.0640 3004 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS2\system32\drivers\Modem.sys
2011/05/21 21:36:11.0906 3004 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS2\system32\drivers\MODEMCSA.sys
2011/05/21 21:36:12.0171 3004 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS2\system32\DRIVERS\mouclass.sys
2011/05/21 21:36:12.0484 3004 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS2\system32\DRIVERS\mouhid.sys
2011/05/21 21:36:12.0765 3004 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS2\system32\drivers\MountMgr.sys
2011/05/21 21:36:13.0328 3004 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS2\system32\DRIVERS\mrxdav.sys
2011/05/21 21:36:13.0656 3004 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS2\system32\DRIVERS\mrxsmb.sys
2011/05/21 21:36:13.0968 3004 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS2\system32\drivers\Msfs.sys
2011/05/21 21:36:14.0281 3004 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS2\system32\drivers\MSKSSRV.sys
2011/05/21 21:36:14.0562 3004 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS2\system32\drivers\MSPCLOCK.sys
2011/05/21 21:36:14.0843 3004 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS2\system32\drivers\MSPQM.sys
2011/05/21 21:36:15.0125 3004 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS2\system32\DRIVERS\mssmbios.sys
2011/05/21 21:36:15.0468 3004 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS2\system32\drivers\Mup.sys
2011/05/21 21:36:15.0781 3004 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS2\system32\drivers\NDIS.sys
2011/05/21 21:36:16.0031 3004 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS2\system32\DRIVERS\ndistapi.sys
2011/05/21 21:36:16.0390 3004 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS2\system32\DRIVERS\ndisuio.sys
2011/05/21 21:36:16.0687 3004 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS2\system32\DRIVERS\ndiswan.sys
2011/05/21 21:36:16.0953 3004 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS2\system32\drivers\NDProxy.sys
2011/05/21 21:36:17.0281 3004 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS2\system32\DRIVERS\netbios.sys
2011/05/21 21:36:17.0578 3004 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS2\system32\DRIVERS\netbt.sys
2011/05/21 21:36:17.0906 3004 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS2\system32\drivers\Npfs.sys
2011/05/21 21:36:18.0218 3004 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS2\system32\drivers\Ntfs.sys
2011/05/21 21:36:18.0625 3004 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS2\system32\drivers\Null.sys
2011/05/21 21:36:18.0906 3004 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS2\system32\DRIVERS\nwlnkflt.sys
2011/05/21 21:36:19.0171 3004 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS2\system32\DRIVERS\nwlnkfwd.sys
2011/05/21 21:36:19.0484 3004 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS2\system32\DRIVERS\parport.sys
2011/05/21 21:36:19.0781 3004 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS2\system32\drivers\PartMgr.sys
2011/05/21 21:36:20.0078 3004 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS2\system32\drivers\ParVdm.sys
2011/05/21 21:36:20.0406 3004 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS2\system32\DRIVERS\pci.sys
2011/05/21 21:36:20.0937 3004 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS2\system32\drivers\PCIIde.sys
2011/05/21 21:36:21.0281 3004 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS2\system32\drivers\Pcmcia.sys
2011/05/21 21:36:23.0046 3004 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS2\system32\DRIVERS\raspptp.sys
2011/05/21 21:36:23.0390 3004 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS2\system32\DRIVERS\processr.sys
2011/05/21 21:36:23.0734 3004 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS2\system32\DRIVERS\psched.sys
2011/05/21 21:36:24.0031 3004 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS2\system32\DRIVERS\ptilink.sys
2011/05/21 21:36:25.0453 3004 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS2\system32\DRIVERS\rasacd.sys
2011/05/21 21:36:25.0750 3004 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS2\system32\DRIVERS\rasl2tp.sys
2011/05/21 21:36:26.0046 3004 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS2\system32\DRIVERS\raspppoe.sys
2011/05/21 21:36:26.0375 3004 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS2\system32\DRIVERS\raspti.sys
2011/05/21 21:36:26.0671 3004 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS2\system32\DRIVERS\rdbss.sys
2011/05/21 21:36:26.0968 3004 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS2\system32\DRIVERS\RDPCDD.sys
2011/05/21 21:36:27.0296 3004 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS2\system32\DRIVERS\rdpdr.sys
2011/05/21 21:36:27.0640 3004 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS2\system32\drivers\RDPWD.sys
2011/05/21 21:36:27.0953 3004 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS2\system32\DRIVERS\redbook.sys
2011/05/21 21:36:28.0390 3004 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS2\system32\DRIVERS\secdrv.sys
2011/05/21 21:36:28.0781 3004 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS2\system32\drivers\senfilt.sys
2011/05/21 21:36:29.0093 3004 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS2\system32\DRIVERS\serenum.sys
2011/05/21 21:36:29.0406 3004 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS2\system32\DRIVERS\serial.sys
2011/05/21 21:36:29.0718 3004 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS2\system32\drivers\Sfloppy.sys
2011/05/21 21:36:30.0312 3004 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS2\system32\drivers\smwdm.sys
2011/05/21 21:36:30.0843 3004 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS2\system32\drivers\splitter.sys
2011/05/21 21:36:31.0156 3004 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS2\system32\DRIVERS\sr.sys
2011/05/21 21:36:31.0515 3004 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS2\system32\DRIVERS\srv.sys
2011/05/21 21:36:31.0781 3004 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS2\system32\DRIVERS\swenum.sys
2011/05/21 21:36:32.0093 3004 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS2\system32\drivers\swmidi.sys
2011/05/21 21:36:33.0406 3004 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS2\system32\drivers\sysaudio.sys
2011/05/21 21:36:33.0750 3004 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS2\system32\DRIVERS\tcpip.sys
2011/05/21 21:36:34.0046 3004 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS2\system32\drivers\TDPIPE.sys
2011/05/21 21:36:34.0296 3004 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS2\system32\drivers\TDTCP.sys
2011/05/21 21:36:34.0562 3004 TermDD (88155247177638048422893737429d9e) C:\WINDOWS2\system32\DRIVERS\termdd.sys
2011/05/21 21:36:35.0140 3004 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS2\system32\drivers\Udfs.sys
2011/05/21 21:36:35.0703 3004 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS2\system32\DRIVERS\update.sys
2011/05/21 21:36:36.0015 3004 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS2\system32\DRIVERS\usbehci.sys
2011/05/21 21:36:36.0453 3004 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS2\system32\DRIVERS\usbhub.sys
2011/05/21 21:36:36.0734 3004 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS2\system32\DRIVERS\USBSTOR.SYS
2011/05/21 21:36:37.0015 3004 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS2\system32\DRIVERS\usbuhci.sys
2011/05/21 21:36:37.0312 3004 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS2\System32\drivers\vga.sys
2011/05/21 21:36:37.0843 3004 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS2\system32\drivers\VolSnap.sys
2011/05/21 21:36:38.0265 3004 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS2\system32\DRIVERS\wanarp.sys
2011/05/21 21:36:38.0875 3004 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS2\system32\drivers\wdmaud.sys
2011/05/21 21:36:39.0250 3004 ================================================================================
2011/05/21 21:36:39.0250 3004 Scan finished
2011/05/21 21:36:39.0250 3004 ================================================================================

Blade81
2011-05-21, 22:33
Hi,

Download a fresh copy of ComboFix. Rename ComboFix.exe file -> whatever.exe and try to run it (turn off Comodo first).

tankedsecondchance
2011-05-22, 00:16
I shut down comodo and a few other things and ran combofix under the name kickyourass.exe here is the log it produced:

ComboFix 11-05-21.03 - Me 05/21/2011 23:35:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.318 [GMT 3:00]
Running from: c:\documents and settings\Me.TIM\Desktop\Kickyourass.exe
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users.WINDOWS2\Application Data\SecTaskMan\_entreelist.dll
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\hannah\WINDOWS
c:\documents and settings\Mahjong\UNWISE.EXE
c:\documents and settings\me\Application Data\PriceGong
c:\documents and settings\me\Application Data\PriceGong\Data\1.xml
c:\documents and settings\me\Application Data\PriceGong\Data\a.xml
c:\documents and settings\me\Application Data\PriceGong\Data\b.xml
c:\documents and settings\me\Application Data\PriceGong\Data\c.xml
c:\documents and settings\me\Application Data\PriceGong\Data\d.xml
c:\documents and settings\me\Application Data\PriceGong\Data\e.xml
c:\documents and settings\me\Application Data\PriceGong\Data\f.xml
c:\documents and settings\me\Application Data\PriceGong\Data\g.xml
c:\documents and settings\me\Application Data\PriceGong\Data\h.xml
c:\documents and settings\me\Application Data\PriceGong\Data\i.xml
c:\documents and settings\me\Application Data\PriceGong\Data\J.xml
c:\documents and settings\me\Application Data\PriceGong\Data\k.xml
c:\documents and settings\me\Application Data\PriceGong\Data\l.xml
c:\documents and settings\me\Application Data\PriceGong\Data\m.xml
c:\documents and settings\me\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\me\Application Data\PriceGong\Data\n.xml
c:\documents and settings\me\Application Data\PriceGong\Data\o.xml
c:\documents and settings\me\Application Data\PriceGong\Data\p.xml
c:\documents and settings\me\Application Data\PriceGong\Data\q.xml
c:\documents and settings\me\Application Data\PriceGong\Data\r.xml
c:\documents and settings\me\Application Data\PriceGong\Data\s.xml
c:\documents and settings\me\Application Data\PriceGong\Data\t.xml
c:\documents and settings\me\Application Data\PriceGong\Data\u.xml
c:\documents and settings\me\Application Data\PriceGong\Data\v.xml
c:\documents and settings\me\Application Data\PriceGong\Data\w.xml
c:\documents and settings\me\Application Data\PriceGong\Data\x.xml
c:\documents and settings\me\Application Data\PriceGong\Data\y.xml
c:\documents and settings\me\Application Data\PriceGong\Data\z.xml
c:\documents and settings\me\WINDOWS
c:\documents and settings\youssef\WINDOWS
c:\program files\dialers
c:\program files\WinPCap
c:\program files\WinPCap\install.log
c:\program files\WinPCap\rpcapd.exe
c:\program files\WinPCap\Uninstall.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
-------\Legacy_ABP470N5
-------\Service_abp470n5
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-20 16:56 . 2011-05-20 17:00 -------- d-----w- C:\52d9b97d3a4e2130724323
2011-05-20 16:40 . 2011-05-18 20:10 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2011-05-18 15:47 . 2011-05-18 15:47 -------- d-----w- c:\documents and settings\Family
2011-05-16 18:12 . 2011-05-16 18:13 -------- d-----w- c:\program files\Ask.com
2011-05-16 18:12 . 2011-05-16 18:12 -------- d-----w- c:\program files\Foxit Software
2011-05-14 22:00 . 2011-05-14 22:00 -------- d-----w- C:\VritualRoot
2011-05-14 21:54 . 2011-05-14 21:54 -------- d-----w- c:\program files\ERUNT
2011-05-11 11:44 . 2011-05-11 11:45 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 06:49 . 2011-05-11 06:51 -------- d-----w- c:\program files\Security Task Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-03-04 06:45 . 2003-07-16 16:43 434176 ----a-w- c:\windows2\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 16:45 1857920 ----a-w- c:\windows2\system32\win32k.sys
2011-04-14 16:26 . 2011-05-10 17:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-08-12 06:12 . 2006-12-24 10:49 135680 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . 865A48ECBD314A8089BB108FF5DF9532 . 220160 . . [5.1.2600.5512] . . c:\windows2\regedit.exe
[-] 2008-04-14 . 865A48ECBD314A8089BB108FF5DF9532 . 220160 . . [5.1.2600.5512] . . c:\windows2\ServicePackFiles\i386\regedit.exe
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows2\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe
[7] 2004-08-03 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows2\$NtServicePackUninstall$\regedit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 19:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"ctfmon.exe"="c:\windows2\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows2\System32\igfxtray.exe" [2005-06-21 237568]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 513344]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2011-05-09 2552648]
.
c:\documents and settings\Me.TIM\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows2\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BCMSMMSG"=BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS2\\System32\\igfxtray.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\LSDSMCAUVUTYBOG.scr"=
"c:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe"=
.
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows2\system32\drivers\cmdGuard.sys [5/2/2011 8:36 PM 242472]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows2\system32\drivers\cmdhlp.sys [5/2/2011 8:36 PM 29400]
S3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows2\system32\drivers\bcm42xx5.sys [5/10/2011 6:31 PM 54271]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-21 c:\windows2\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 19:44]
.
2011-05-21 c:\windows2\Tasks\WGASetup.job
- c:\windows2\system32\KB905474\wgasetup.exe [2011-05-13 19:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Me.TIM\Application Data\Mozilla\Firefox\Profiles\6tv5e5pb.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-21 23:56
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(748)
c:\windows2\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(960)
c:\windows2\system32\WININET.dll
c:\windows2\system32\guard32.dll
c:\windows2\system32\ieframe.dll
.
Completion time: 2011-05-22 00:10:43 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-21 21:10
.
Pre-Run: 30,751,260,672 bytes free
Post-Run: 30,250,291,200 bytes free
.
Current=4 Default=4 Failed=1 LastKnownGood=6 Sets=1,2,3,4,6
- - End Of File - - C119386E6443DF67E2011AD241A55CBB

Blade81
2011-05-22, 00:24
Good. Please upload c:\windows2\regedit.exe file to http://www.virustotal.com and post back the results or a link to the results.

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode

On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Disable WinPatrol's realtime protection.
Right-click the running icon of Winpatrol in the system tray
Choose exit. It will automatically restart at next boot.

Open notepad and copy/paste the text in the quotebox below into it:



Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
FixCSet::



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

tankedsecondchance
2011-05-22, 12:01
Well, registry editor and task manager are back, i did the scan as you asked and here is the log it produced, but i couldn't get to virustotal.com and upload the file, although my other computer can go to that website this one is stuck at trying to get there to start with. other than that i noticed that Scotty and teatimer are reporting that something is attempting to change my host file from the my mvps host file to a completely empty one, i always denied the change, was that the right thing to do?

I have a small question, the old operating system i still have on here, the old xp installation, do all these fixes we are doing have any positive effect on it or is it just fixing this currently running one?

ComboFix 11-05-21.03 - Me 05/22/2011 1:27.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.323 [GMT 3:00]
Running from: c:\documents and settings\Me.TIM\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me.TIM\Desktop\CFScript.txt
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ABP470N5
-------\Service_abp470n5
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-20 16:56 . 2011-05-20 17:00 -------- d-----w- C:\52d9b97d3a4e2130724323
2011-05-20 16:40 . 2011-05-18 20:10 331805736 ----a-w- C:\WindowsXP-KB936929-SP3-x86-ENU.exe
2011-05-18 15:47 . 2011-05-18 15:47 -------- d-----w- c:\documents and settings\Family
2011-05-16 18:12 . 2011-05-16 18:13 -------- d-----w- c:\program files\Ask.com
2011-05-16 18:12 . 2011-05-16 18:12 -------- d-----w- c:\program files\Foxit Software
2011-05-14 22:00 . 2011-05-14 22:00 -------- d-----w- C:\VritualRoot
2011-05-14 21:54 . 2011-05-14 21:54 -------- d-----w- c:\program files\ERUNT
2011-05-11 11:44 . 2011-05-11 11:45 -------- d-----r- C:\MS Office 2007 ENG
2011-05-11 06:49 . 2011-05-11 06:51 -------- d-----w- c:\program files\Security Task Manager
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-13 22:40 . 2011-04-13 22:40 4284416 ----a-w- c:\windows2\system32\GPhotos.scr
2011-03-04 06:45 . 2003-07-16 16:43 434176 ----a-w- c:\windows2\system32\vbscript.dll
2011-03-03 13:21 . 2003-07-16 16:45 1857920 ----a-w- c:\windows2\system32\win32k.sys
2011-04-14 16:26 . 2011-05-10 17:16 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2007-08-12 06:12 . 2006-12-24 10:49 135680 -c--a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
.
[-] 2008-04-14 . 865A48ECBD314A8089BB108FF5DF9532 . 220160 . . [5.1.2600.5512] . . c:\windows2\regedit.exe
[-] 2008-04-14 . 865A48ECBD314A8089BB108FF5DF9532 . 220160 . . [5.1.2600.5512] . . c:\windows2\ServicePackFiles\i386\regedit.exe
[7] 2008-04-14 . 058710B720282CA82B909912D3EF28DB . 146432 . . [5.1.2600.5512] . . c:\windows2\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e\regedit.exe
[7] 2004-08-03 . 783AFC80383C176B22DBF8333343992D . 146432 . . [5.1.2600.2180] . . c:\windows2\$NtServicePackUninstall$\regedit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-09-28 19:44 1400712 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-09-28 1400712]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
c:\documents and settings\Me.TIM\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows2\system32\guard32.dll
.
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BCMSMMSG"=BCMSMMSG.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS2\\System32\\igfxtray.exe"=
"c:\\Program Files\\Malwarebytes' Anti-Malware\\mbam.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\LSDSMCAUVUTYBOG.scr"=
"c:\\Program Files\\COMODO\\COMODO Internet Security\\cmdagent.exe"=
.
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows2\system32\DRIVERS\bcm42xx5.sys [2001-08-17 54271]
S1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows2\system32\DRIVERS\cmdguard.sys [2011-05-02 242472]
S1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows2\system32\DRIVERS\cmdhlp.sys [2011-05-02 29400]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-22 c:\windows2\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-09-28 19:44]
.
2011-05-21 c:\windows2\Tasks\WGASetup.job
- c:\windows2\system32\KB905474\wgasetup.exe [2011-05-13 19:18]
.
.
------- Supplementary Scan -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:egyptainhollandiatissueculture@msn.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows2\system32\GPhotos.scr/200
FF - ProfilePath - c:\documents and settings\Me.TIM\Application Data\Mozilla\Firefox\Profiles\6tv5e5pb.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 01:57
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose, ZwOpenFile
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Abiosdsk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\abp480n5]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPI]
"ImagePath"="System32\DRIVERS\ACPI.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ACPIEC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\adpu160m]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aec]
"ImagePath"="system32\drivers\aec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AFD]
"ImagePath"="\SystemRoot\System32\drivers\afd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Aha154x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aic78u2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\aic78xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Alerter]
"ServiceDll"="%SystemRoot%\system32\alrsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ALG]
"ImagePath"="%SystemRoot%\System32\alg.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AliIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\amsint]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AppMgmt]
"ServiceDll"="%SystemRoot%\System32\appmgmts.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\asc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\asc3350p]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\asc3550]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AsyncMac]
"ImagePath"="system32\DRIVERS\asyncmac.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\atapi]
"ImagePath"="System32\DRIVERS\atapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Atdisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Atmarpc]
"ImagePath"="System32\DRIVERS\atmarpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\AudioSrv]
"ServiceDll"="%SystemRoot%\System32\audiosrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\audstub]
"ImagePath"="System32\DRIVERS\audstub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\b57w2k]
"ImagePath"="System32\DRIVERS\b57xp32.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BattC]
"MofImagePath"="System32\Drivers\battc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BCM42XX]
"ImagePath"="System32\DRIVERS\bcm42xx5.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\bcm4sbxp]
"ImagePath"="System32\DRIVERS\bcm4sbxp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BCMModem]
"ImagePath"="system32\DRIVERS\BCMSM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Beep]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\BITS]
"ServiceDll"="%systemroot%\system32\qmgr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Browser]
"ServiceDll"="%SystemRoot%\System32\browser.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\catchme]
"ImagePath"="\??\c:\docume~1\Me.TIM\LOCALS~1\Temp\catchme.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cbidf2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cd20xrnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cdaudio]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cdfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cdrom]
"ImagePath"="System32\DRIVERS\cdrom.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Changer]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CiSvc]
"ImagePath"="%SystemRoot%\system32\cisvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ClipSrv]
"ImagePath"="%SystemRoot%\system32\clipsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cmdAgent]
"ImagePath"="\"c:\program files\COMODO\COMODO Internet Security\cmdagent.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cmdGuard]
"ImagePath"="System32\DRIVERS\cmdguard.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\cmdHlp]
"ImagePath"="System32\DRIVERS\cmdhlp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CmdIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\COMSysApp]
"ImagePath"="%SystemRoot%\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ContentFilter]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ContentIndex]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Cpqarray]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\CryptSvc]
"ServiceDll"="%SystemRoot%\System32\cryptsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dac2w2k]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dac960nt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\DcomLaunch]
"ServiceDll"="%SystemRoot%\system32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Dhcp]
"ServiceDll"="%SystemRoot%\System32\dhcpcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Disk]
"ImagePath"="System32\DRIVERS\disk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmadmin]
"ImagePath"="%SystemRoot%\System32\dmadmin.exe /com"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmboot]
"ImagePath"="System32\drivers\dmboot.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmio]
"ImagePath"="System32\drivers\dmio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmload]
"ImagePath"="System32\drivers\dmload.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dmserver]
"ServiceDll"="%SystemRoot%\System32\dmserver.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\DMusic]
"ImagePath"="system32\drivers\DMusic.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Dnscache]
"ServiceDll"="%SystemRoot%\System32\dnsrslvr.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Dot3svc]
"ServiceDll"="%SystemRoot%\System32\dot3svc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\dpti2o]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\drmkaud]
"ImagePath"="system32\drivers\drmkaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\EapHost]
"ServiceDll"="%SystemRoot%\System32\eapsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ERSvc]
"ServiceDll"="%SystemRoot%\System32\ersvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Eventlog]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\EventSystem]
"ServiceDll"="c:\windows2\System32\es.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fastfat]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\FastUserSwitchingCompatibility]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fdc]
"ImagePath"="System32\DRIVERS\fdc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fips]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Flpydisk]
"ImagePath"="System32\DRIVERS\flpydisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\FltMgr]
"ImagePath"="system32\drivers\fltmgr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Fs_Rec]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ftdisk]
"ImagePath"="System32\DRIVERS\ftdisk.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Gpc]
"ImagePath"="System32\DRIVERS\msgpc.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\gusvc]
"ImagePath"="\"c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\helpsvc]
"ServiceDll"="%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\HidServ]
"ServiceDll"="%SystemRoot%\System32\hidserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\hidusb]
"ImagePath"="System32\DRIVERS\hidusb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\hkmsvc]
"ServiceDll"="%SystemRoot%\System32\kmsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\hpn]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\HTTP]
"ImagePath"="System32\Drivers\HTTP.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\HTTPFilter]
"ServiceDll"="%SystemRoot%\System32\w3ssl.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\i2omgmt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\i2omp]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\i8042prt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ialm]
"ImagePath"="System32\DRIVERS\ialmnt5.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Imapi]
"ImagePath"="System32\DRIVERS\imapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ImapiService]
"ImagePath"="%systemroot%\system32\imapi.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\inetaccs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ini910u]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Inport]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Inspect]
"ImagePath"="System32\DRIVERS\inspect.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IntelIde]
"ImagePath"="System32\DRIVERS\intelide.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\intelppm]
"ImagePath"="System32\DRIVERS\intelppm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ip6fw]
"ImagePath"="system32\drivers\ip6fw.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IpFilterDriver]
"ImagePath"="System32\DRIVERS\ipfltdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IpInIp]
"ImagePath"="System32\DRIVERS\ipinip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IpNat]
"ImagePath"="System32\DRIVERS\ipnat.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IPSec]
"ImagePath"="System32\DRIVERS\ipsec.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\IRENUM]
"ImagePath"="System32\DRIVERS\irenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ISAPISearch]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\isapnp]
"ImagePath"="System32\DRIVERS\isapnp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Kbdclass]
"ImagePath"="System32\DRIVERS\kbdclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kbdhid]
"ImagePath"="System32\DRIVERS\kbdhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\kmixer]
"ImagePath"="system32\drivers\kmixer.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\KSecDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lanmanserver]
"ServiceDll"="%SystemRoot%\System32\srvsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lanmanworkstation]
"ServiceDll"="%SystemRoot%\System32\wkssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lbrtfdc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ldap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\LicenseService]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\LmHosts]
"ServiceDll"="%SystemRoot%\System32\lmhsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MDM]
"ImagePath"="\"c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE\""
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Messenger]
"ServiceDll"="%SystemRoot%\System32\msgsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mnmdd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mnmsrvc]
"ImagePath"="c:\windows2\System32\mnmsrvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Modem]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MODEMCSA]
"ImagePath"="system32\drivers\MODEMCSA.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Mouclass]
"ImagePath"="System32\DRIVERS\mouclass.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mouhid]
"ImagePath"="System32\DRIVERS\mouhid.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MountMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mraid35x]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MRxDAV]
"ImagePath"="System32\DRIVERS\mrxdav.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MRxSmb]
"ImagePath"="System32\DRIVERS\mrxsmb.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSDTC]
"ImagePath"="c:\windows2\System32\msdtc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Msfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSIServer]
"ImagePath"="%systemroot%\system32\msiexec.exe /V"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSKSSRV]
"ImagePath"="system32\drivers\MSKSSRV.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSPCLOCK]
"ImagePath"="system32\drivers\MSPCLOCK.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\MSPQM]
"ImagePath"="system32\drivers\MSPQM.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\mssmbios]
"ImagePath"="System32\DRIVERS\mssmbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Mup]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\napagent]
"ServiceDll"="%SystemRoot%\System32\qagentrt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NDIS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NdisTapi]
"ImagePath"="System32\DRIVERS\ndistapi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ndisuio]
"ImagePath"="System32\DRIVERS\ndisuio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NdisWan]
"ImagePath"="System32\DRIVERS\ndiswan.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NDProxy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetBIOS]
"ImagePath"="System32\DRIVERS\netbios.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetBT]
"ImagePath"="System32\DRIVERS\netbt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetDDE]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NetDDEdsdm]
"ImagePath"="%SystemRoot%\system32\netdde.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Netlogon]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Netman]
"ServiceDll"="%SystemRoot%\System32\netman.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Nla]
"ServiceDll"="%SystemRoot%\System32\mswsock.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Npfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ntfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NtLmSsp]
"ImagePath"="%SystemRoot%\System32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NtmsSvc]
"ServiceDll"="%SystemRoot%\system32\ntmssvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Null]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NwlnkFlt]
"ImagePath"="System32\DRIVERS\nwlnkflt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\NwlnkFwd]
"ImagePath"="System32\DRIVERS\nwlnkfwd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Parport]
"ImagePath"="System32\DRIVERS\parport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PartMgr]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ParVdm]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCI]
"ImagePath"="System32\DRIVERS\pci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCIDump]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PCIIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Pcmcia]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDCOMP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDRELI]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PDRFRAME]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\perc2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\perc2hib]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfDisk]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfNet]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfOS]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PerfProc]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PlugPlay]
"ImagePath"="%SystemRoot%\system32\services.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PolicyAgent]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PptpMiniport]
"ImagePath"="System32\DRIVERS\raspptp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Processor]
"ImagePath"="System32\DRIVERS\processr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ProtectedStorage]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\PSched]
"ImagePath"="System32\DRIVERS\psched.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ptilink]
"ImagePath"="System32\DRIVERS\ptilink.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql1080]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Ql10wnt]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql12160]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql1240]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ql1280]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasAcd]
"ImagePath"="System32\DRIVERS\rasacd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasAuto]
"ServiceDll"="%SystemRoot%\System32\rasauto.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Rasl2tp]
"ImagePath"="System32\DRIVERS\rasl2tp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasMan]
"ServiceDll"="%SystemRoot%\System32\rasmans.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RasPppoe]
"ImagePath"="System32\DRIVERS\raspppoe.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Raspti]
"ImagePath"="System32\DRIVERS\raspti.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Rdbss]
"ImagePath"="System32\DRIVERS\rdbss.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPCDD]
"ImagePath"="System32\DRIVERS\RDPCDD.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rdpdr]
"ImagePath"="System32\DRIVERS\rdpdr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPNP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDPWD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RDSessMgr]
"ImagePath"="c:\windows2\system32\sessmgr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\redbook]
"ImagePath"="System32\DRIVERS\redbook.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RemoteAccess]
"ServiceDll"="%SystemRoot%\System32\mprdim.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RemoteRegistry]
"ServiceDll"="%SystemRoot%\system32\regsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RpcLocator]
"ImagePath"="%SystemRoot%\System32\locator.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RpcSs]
"ServiceDll"="%SystemRoot%\System32\rpcss.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\RSVP]
"ImagePath"="%SystemRoot%\System32\rsvp.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SamSs]
"ImagePath"="%SystemRoot%\system32\lsass.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SCardSvr]
"ImagePath"="%SystemRoot%\System32\SCardSvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Schedule]
"ServiceDll"="%SystemRoot%\system32\schedsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ScsiPort]
"ImagePath"="%SystemRoot%\system32\drivers\scsiport.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Secdrv]
"ImagePath"="System32\DRIVERS\secdrv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\seclogon]
"ServiceDll"="%SystemRoot%\System32\seclogon.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\senfilt]
"ImagePath"="system32\drivers\senfilt.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SENS]
"ServiceDll"="%SystemRoot%\system32\sens.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\serenum]
"ImagePath"="System32\DRIVERS\serenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Serial]
"ImagePath"="System32\DRIVERS\serial.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sfloppy]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SharedAccess]
"ServiceDll"="%SystemRoot%\System32\ipnathlp.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ShellHWDetection]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Simbad]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\smwdm]
"ImagePath"="system32\drivers\smwdm.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Sparrow]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\splitter]
"ImagePath"="system32\drivers\splitter.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Spooler]
"ImagePath"="%SystemRoot%\system32\spoolsv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sr]
"ImagePath"="System32\DRIVERS\sr.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\srservice]
"ServiceDll"="%SystemRoot%\system32\srsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Srv]
"ImagePath"="System32\DRIVERS\srv.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SSDPSRV]
"ServiceDll"="%SystemRoot%\System32\ssdpsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\stisvc]
"ServiceDll"="%SystemRoot%\system32\wiaservc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\swenum]
"ImagePath"="System32\DRIVERS\swenum.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\swmidi]
"ImagePath"="system32\drivers\swmidi.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SwPrv]
"ImagePath"="c:\windows2\System32\dllhost.exe /Processid:{B8B5E953-419D-442A-A711-4CA2060AADDA}"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\swwd]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\symc810]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\symc8xx]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sym_hi]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sym_u3]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\sysaudio]
"ImagePath"="system32\drivers\sysaudio.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\SysmonLog]
"ImagePath"="%SystemRoot%\system32\smlogsvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TapiSrv]
"ServiceDll"="%SystemRoot%\System32\tapisrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Tcpip]
"ImagePath"="System32\DRIVERS\tcpip.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TDPIPE]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TDTCP]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TermDD]
"ImagePath"="System32\DRIVERS\termdd.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TermService]
"ServiceDll"="%SystemRoot%\System32\termsrv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Themes]
"ServiceDll"="%SystemRoot%\System32\shsvcs.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TlntSvr]
"ImagePath"="c:\windows2\System32\tlntsvr.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TosIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TrkWks]
"ServiceDll"="%SystemRoot%\system32\trkwks.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\TSDDD]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Udfs]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ultra]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Update]
"ImagePath"="System32\DRIVERS\update.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\upnphost]
"ServiceDll"="%SystemRoot%\System32\upnphost.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\UPS]
"ImagePath"="%SystemRoot%\System32\ups.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usbehci]
"ImagePath"="System32\DRIVERS\usbehci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usbhub]
"ImagePath"="System32\DRIVERS\usbhub.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\USBSTOR]
"ImagePath"="System32\DRIVERS\USBSTOR.SYS"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usbuhci]
"ImagePath"="System32\DRIVERS\usbuhci.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VgaSave]
"ImagePath"="\SystemRoot\System32\drivers\vga.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\ViaIde]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VolSnap]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\VSS]
"ImagePath"="%SystemRoot%\System32\vssvc.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\W32Time]
"ServiceDll"="%systemroot%\system32\w32time.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\W3SVC]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Wanarp]
"ImagePath"="System32\DRIVERS\wanarp.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WDICA]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wdmaud]
"ImagePath"="system32\drivers\wdmaud.sys"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WebClient]
"ServiceDll"="%SystemRoot%\System32\webclnt.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\winmgmt]
"ServiceDll"="%SystemRoot%\system32\wbem\WMIsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Winsock]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WinSock2]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WinTrust]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WmdmPmSN]
"ServiceDll"="c:\windows\system32\mspmsnsv.dll"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\Wmi]
"ServiceDll"="%SystemRoot%\System32\advapi32.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WmiApRpl]
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WmiApSrv]
"ImagePath"="c:\windows2\System32\wbem\wmiapsrv.exe"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wscsvc]
"ServiceDll"="%SYSTEMROOT%\system32\wscsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\wuauserv]
"ServiceDll"="c:\windows\system32\wuauserv.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\WZCSVC]
"ServiceDll"="%SystemRoot%\System32\wzcsvc.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\xmlprov]
"ServiceDll"="%SystemRoot%\System32\xmlprov.dll"
.
[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\{D66B2196-5266-41D8-A57A-6E96CDC55151}]
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS2\\system32\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(748)
c:\windows2\system32\guard32.dll
.
- - - - - - - > 'explorer.exe'(2408)
c:\windows2\system32\WININET.dll
c:\windows2\system32\guard32.dll
c:\program files\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows2\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\BillP Studios\WinPatrol\winpatrol.exe
.
**************************************************************************
.
Completion time: 2011-05-22 03:18:21 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-22 00:18
ComboFix2.txt 2011-05-21 21:10
.
Pre-Run: 30,204,321,792 bytes free
Post-Run: 29,976,920,064 bytes free
.
Current=4 Default=4 Failed=1 LastKnownGood=6 Sets=1,2,3,4,6
- - End Of File - - 75410EA30B4DBA63678C6AF01F023244

tankedsecondchance
2011-05-22, 12:54
Well, i can only see my last post when i hit reply so here is the text i wrote, and the log is in the zipped file due to it being to large i think.

Blade81
2011-05-22, 13:16
Hi,

I was trying to get some scanner to run to prove there's a Sality file infector present in your system meaning reformat as only sensible solution.

Though you weren't able to get scanners to run there's enough evidence (like safe mode disabled + some signs in the log) to show that infection is present.


If your computer was used for online banking, has credit card information or other sensitive data on it, you should disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password using a clean computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
What Should I Do If I've Become A Victim Of Identity Theft? (http://www.usdoj.gov/criminal/fraud/websites/idtheft.html#whatifvictim)
Identity Theft Victims Guide - What to do (http://www.privacyrights.org/fs/fs17a.htm)
There is no guarantee this infection can be completely removed. In some instances it may have caused so much damage to your system that it cannot be completely cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Reinstalling Windows without first wiping the entire hard drive with a repartition and/or format will not remove the infection. The reinstall will only overwrite the Windows files. Any malware on the system will still be there afterwards. Please read:
When should I re-format? How should I reinstall? (http://www.dslreports.com/faq/10063)
Help: I Got Hacked. Now What Do I Do? (http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx)
Where to draw the line? When to recommend a format and reinstall? (http://miekiemoes.blogspot.com/2008/06/malware-removal-where-to-draw-line.html)

If you insist on trying to fix this infection instead of following our advice to reformat and reinstall your operating system, there are various rescue disks available from major anti-virus vendors which you can try. Keep in mind, even the vendors like Kaspersky say there is no quarantee that some files will not get corrupted during the disinfection process. In the end most folks end up reformatting out of frustration after spending hours attempting to repair and remove infected files. IMO the safest and easiest thing to do is just reformat and reinstall Windows.

I DO NOT assume any responsibility for your attempt to repair this infection using any of the following tools. You do this at your own risk and against our advice.

These are links to Anti-virus vendors that offer free LiveCD or Rescue CD files that are used to boot from for repair of unbootable and damaged systems, rescue data, scan the system for virus infections. Burn it as an image to a disk to get a bootable CD. All (except Avira) are in the ISO Image (http://en.wikipedia.org/wiki/ISO_image) file format. Avira uses an EXE that has built-in CD burning capability.
Avira AntiVir Rescue System (http://www.raymond.cc/blog/archives/2008/06/28/free-avira-antivir-rescue-system-cd-to-clean-unremovable-virus/) - Avira's download page (http://www.free-av.com/en/tools/12/avira_antivir_rescue_system.html).
If you encounter problems running the Rescue Disk, you can get further assistance at the Avira Tools Support Forum (http://forum.avira.com/wbb/index.php?page=Board&boardID=210).
Dr Web LiveCD (http://www.freedrweb.com/livecd/). Be sure to print out and follow the instructions provided in the User Manual (ftp://ftp.drweb.com/pub/drweb/livecd/LiveCD-en.pdf).
F-Secure Rescue CD (http://www.techmixer.com/free-f-secure-rescue-bootable-cd-to-clean-virus-and-malware/) - Rescue CD 3.01 released (http://www.f-secure.com/linux-weblog/2008/06/).
Video: How to Remove Malware with F-Secure Rescue CD (http://blog.misec.net/2008/09/19/removing-malware-with-f-secure-rescue-cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the F-Secure Support Forum (http://forum.f-secure.com/default.asp?sectionid=0).
BitDefender LiveCD (http://www.techmixer.com/bitdefender-rescue-cd-with-auto-update-virus-definition-features/) - Index of /rescue_cd (http://download.bitdefender.com/rescue_cd/)
If you encounter problems running the Rescue CD, you can get further assistance at the BitDefender Support Forum (http://forum.bitdefender.com/index.php?showforum=185).
Kaspersky RescueDisk (http://www.techmixer.com/kaspersky-rescue-disk-load-kaspersky-antivirus-2009-using-dos/) - Index of /devbuilds/RescueDisk/ (http://ftp.kaspersky.com/devbuilds/RescueDisk/)
If you encounter problems running the RescueDisk, you can get further assistance at the Kaspersky Support Forum (http://forum.kaspersky.com/index.php?showforum=4).
If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO (http://www.bleepingcomputer.com/tutorials/tutorial114.html). If you need a FREE utility to burn the ISO image, download and use ImgBurn (http://www.imgburn.com/).

tankedsecondchance
2011-05-22, 13:58
Well, I'm a sucker for lost causes:D:, i used the now working registry editor and fixed the Safe-boot keys and now I'm in Safe-mode,I'm currently running Malewares first to see what former registry problems still arise. I still have all the tools i downloaded before, what would you advise me to run now? As for now dumping the entire system shall be my last resource.

Blade81
2011-05-22, 14:10
Hi,

I've learnt from my experiences with file infectors that it's like battling against windmills - it may look brighter for a moment and then all hell breaks loose again. You may try one of those live cds if you wish but like I said there's no guarantee those will bring permanent result.

tankedsecondchance
2011-05-22, 14:20
Well, while in safemode i noticed that in the administrator account all the problems i had here were still there, as in no registry editor, taskmanager which surprises me, seeing as i can access them here in normal mode under my other administrator account.

Blade81
2011-05-22, 19:58
Like I said, safest way is to reformat the system and start from scratch. You may try other methods if you want but my last advice on this case is told above.

tankedsecondchance
2011-05-22, 21:16
you were correct we got the one online scanner to run in safe mode and it discoverd 1398 infected files in safe mode. we left it to scan and fix what ever it wanted it said it took care of all except four and we deleted those.

lol task manager is now locked again i just wanted to let you we will start over thanks for your help i will let you know what take place with the new install.

Blade81
2011-05-22, 22:22
You're welcome. You have to be careful to not use files from older installation if you have some of those saved. If such file is Sality infected it will kick off new epidemic on fresh installation.

tankedsecondchance
2011-05-23, 07:12
based on what eset mentioned the only files we were planing to move are word documents and pictures.



You're welcome. You have to be careful to not use files from older installation if you have some of those saved. If such file is Sality infected it will kick off new epidemic on fresh installation.

Blade81
2011-05-23, 07:38
Ok, that should work :)

tankedsecondchance
2011-05-24, 10:35
Blade again,

thanks for your time and help

the good thing is i had no important private information on these pcs we have at home and all three have issues, all are being dumped,formatted and everything installed new.

my computer never really acted badly. every-now and then in a period over two months, it would hang up for a bit or ie7 would mention and internal error and close then say im sorry, i must re-start.

All the virus protection appeared to work correctly updates scans everything except the cpu usage load would sometimes spike for no clear reason over the last couple of months.


Again thanks

Tim from egypt

Blade81
2011-05-24, 18:28
You're welcome. Infections like Sality are real meanies. Usually up-to-date antivirus protection + patched system helps keeping uninvited guests away. This topic (http://forums.spybot.info/showthread.php?t=279) may give some idea how the infection got itself in.