Computer infected with AntivirusPro 2010

F

FlaCajun

New member
Antiviruspro 2010 has somehow infected my computer.
(If needed, there is a written log of what has been done to remove this infection.)

Data files have been backed as well as possible.
The registry has been backed up.
HJT was run, but text file was not displayed.
Now, HJT will not run.

The error message is;
"Windows cannot access the specified device, path or file.
You may not have the appropriate permissions to access the file.",
even though I have admin rights.

Appreciate any help.
 
Hello FlaCajun and welcome to the forums here at SpyBot S&D.

:welcome:

STEP 1:

Please download exeHelper by Raktor to your desktop.
Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

STEP 2:

Save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.

Post both logs and we can hopefully go from there.
 
exeHelper run but no log created

exeHelper was saved on the desktop and run.
A DOS window opened, then closed.
No 'exehelperlog.txt' file was posted.
Searched the C drive for any 'exehelper' files.
The only one located was the file 'exehelper.com'.
Re-ran 'exehelper.com', but no log.

The infected computer is part of a home network.
No other computers infected.
 
Okay try running STEP 2 and see if that will run. Hopefully it will give us a log. Post that if so.
 
Ran Step 2: Win32Diag.exe but didn't work.

Ran 'Win32Diag.exe' the program but an error message appeared.
The NTVDM CPUT has encountered an illegal instruction.
CS:0536 IP:63 72 70 74 Choose 'Close' to terminate application.
Clicked 'Ignore' and the program terminated.
Ran the program again, same error message.
Clicked 'Close'.
 
Let's see if we can go right after this with combofix.

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif


CF_download_rename.gif


  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.
 
just got the infected computer to boot up.
It performed several shutdowns by itself.

Since Task Manager doesn't work,
I downloaded 'Process Expolorer' to shut down 'Antiviruspro 2010'.

I am using another computer to post to the forum.

Should I continue with Combo Fix?
 
If you can run combofix, yes, go for it. This PC sounds like it's in pretty bad shape, do you have your XP disc? I'm thinking maybe a repair install if we cannot get any tools to run.
 
I have isolated the infected computer from the internet,
so that the infection can not download anything more off the internet.
I can download files from another computer to the infected computer.

Is this the way to go?
 
FlaCajun said:
I have isolated the infected computer from the internet,
so that the infection can not download anything more off the internet.
I can download files from another computer to the infected computer.

Is this the way to go?
Click to expand...
Okay good. Yes, that is probably the best way to go right now. You could use a CD/DVD, which is the safest way. Or you can use a USB drive. You just take the chance that the USB drive will get infected when you plug it into the infected PC. To reduce the risk of that you should run FlashDisinfector.

Download Flash_Disinfector.exe by sUBs from here and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.

    Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you run it. Don't delete this folder...it will help protect your drives from future infection.
Even with using FD, I would suggest using a drive you don't have anything critical saved on. That way you can just format it when your done to be sure it's clean.
 
ComboFix was run, but it was difficult to download on infected computer.
Initially, a window opened up with the code displayed.
Eventually, a box popped up and it was successfully saved to the desktop.

Here is the log.



ComboFix 09-10-04.01 - Raymond 10/05/2009 13:51.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.641 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aIx11A.tmp
c:\documents and settings\All Users\Application Data\awekymyry.bin
c:\documents and settings\All Users\Application Data\canycy.bat
c:\documents and settings\All Users\Application Data\dekuha.dll
c:\documents and settings\All Users\Application Data\dijibot.vbs
c:\documents and settings\All Users\Application Data\ehatepu.lib
c:\documents and settings\All Users\Application Data\ekusaleb.scr
c:\documents and settings\All Users\Application Data\elanijudup.reg
c:\documents and settings\All Users\Application Data\igycoh.sys
c:\documents and settings\All Users\Application Data\iqesytakyq.lib
c:\documents and settings\All Users\Application Data\kebexugaq.dl
c:\documents and settings\All Users\Application Data\nydyhaz.com
c:\documents and settings\All Users\Application Data\tohakut.inf
c:\documents and settings\All Users\Application Data\vupofajo.dl
c:\documents and settings\All Users\Application Data\wiwete._sy
c:\documents and settings\All Users\Application Data\ysotujev.dl
c:\documents and settings\All Users\Documents\ekixejy.sys
c:\documents and settings\All Users\Documents\eniwityb.bat
c:\documents and settings\All Users\Documents\erozak.pif
c:\documents and settings\All Users\Documents\iweby.scr
c:\documents and settings\All Users\Documents\notapos.reg
c:\documents and settings\All Users\Documents\ubegedabi.sys
c:\documents and settings\All Users\Documents\unenif.reg
c:\documents and settings\All Users\Documents\ygyzu.inf
c:\documents and settings\Raymond\Application Data\ebej.inf
c:\documents and settings\Raymond\Application Data\ehepun.vbs
c:\documents and settings\Raymond\Application Data\emocyxohu.dll
c:\documents and settings\Raymond\Application Data\exeqoh.com
c:\documents and settings\Raymond\Application Data\fosevaluxy.exe
c:\documents and settings\Raymond\Application Data\lizkavd.exe
c:\documents and settings\Raymond\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk
c:\documents and settings\Raymond\Application Data\mocy.vbs
c:\documents and settings\Raymond\Application Data\obop.com
c:\documents and settings\Raymond\Application Data\otyxel.exe
c:\documents and settings\Raymond\Application Data\seres.exe
c:\documents and settings\Raymond\Application Data\svcst.exe
c:\documents and settings\Raymond\Application Data\upebekur.com
c:\documents and settings\Raymond\Application Data\vecufig.com
c:\documents and settings\Raymond\Application Data\yloza.pif
c:\documents and settings\Raymond\Cookies\bahysyq.dll
c:\documents and settings\Raymond\Cookies\ciworyzeb._dl
c:\documents and settings\Raymond\Cookies\cynihijip.db
c:\documents and settings\Raymond\Cookies\geda.bin
c:\documents and settings\Raymond\Cookies\jesa.scr
c:\documents and settings\Raymond\Cookies\mosuxype.reg
c:\documents and settings\Raymond\Cookies\okofiroja.bin
c:\documents and settings\Raymond\Cookies\osyg.lib
c:\documents and settings\Raymond\Cookies\pobiz._dl
c:\documents and settings\Raymond\Cookies\qepysyduw._dl
c:\documents and settings\Raymond\Cookies\ryfite.dat
c:\documents and settings\Raymond\Cookies\vexype.exe
c:\documents and settings\Raymond\Cookies\viduwa.dat
c:\documents and settings\Raymond\Cookies\xubow.inf
c:\documents and settings\Raymond\Cookies\yliqaripot._dl
c:\documents and settings\Raymond\Local Settings\Application Data\amutaduwyx._dl
c:\documents and settings\Raymond\Local Settings\Application Data\hihamo.reg
c:\documents and settings\Raymond\Local Settings\Application Data\jinun.inf
c:\documents and settings\Raymond\Local Settings\Application Data\navur.ban
c:\documents and settings\Raymond\Local Settings\Application Data\rehuqex.dll
c:\documents and settings\Raymond\Local Settings\Application Data\relenoqa._dl
c:\documents and settings\Raymond\Local Settings\Application Data\rifubojo.inf
c:\documents and settings\Raymond\Local Settings\Application Data\ujyvim._dl
c:\documents and settings\Raymond\Local Settings\Application Data\usiz.dll
c:\documents and settings\Raymond\Local Settings\Application Data\ymaq.dll
c:\documents and settings\Raymond\Local Settings\Application Data\zoturubam._dl
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\cibo.dat
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\ehekur.ban
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\emifem.exe
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\hyfe.dll
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\icev.pif
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\ivewacohe.dat
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\kewo.com
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\qaryheq.bin
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\sejad.dll
c:\documents and settings\Raymond\Local Settings\Temporary Internet Files\urofosoti.sys
c:\documents and settings\Raymond\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Raymond\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk
c:\documents and settings\Raymond\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\program files\AntivirusPro_2010
c:\program files\AntivirusPro_2010\AntivirusPro_2010.exe
c:\program files\Common Files\dipyzuh.scr
c:\program files\Common Files\hamys.reg
c:\program files\Common Files\ibawihadoc._dl
c:\program files\Common Files\kumyces.bin
c:\program files\Common Files\lajora.reg
c:\program files\Common Files\oradyryxi.ban
c:\program files\Common Files\yluquzec.reg
c:\windows\afoj.bin
c:\windows\cidyjocad.dl
c:\windows\edukusen.ban
c:\windows\emygybymyq.vbs
c:\windows\esunewyw.inf
c:\windows\foga.dll
c:\windows\hamiq.inf
c:\windows\ikyzasa.dl
c:\windows\isucimoce.ban
c:\windows\isylebo.inf
c:\windows\kygemadik.reg
c:\windows\mynudiha.sys
c:\windows\nomoq.sys
c:\windows\obituzawy.dl
c:\windows\ocavazydo.vbs
c:\windows\povomar.pif
c:\windows\qaqe.bat
c:\windows\qeromunoci.bat
c:\windows\qujuwopa.reg
c:\windows\rera.bin
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\asewohet.sys
c:\windows\system32\awixakoduh.vbs
c:\windows\system32\byxuzekod.reg
c:\windows\system32\drivers\gasfkyebwupqoy.sys
c:\windows\system32\drivers\snetcfg.exe
c:\windows\system32\ewunekexe.bat
c:\windows\system32\gicogyjy.vbs
c:\windows\system32\jofu.sys
c:\windows\system32\lyjyxysofi.exe
c:\windows\system32\osihutig.bin
c:\windows\system32\pabogumo.pif
c:\windows\system32\qabekus.inf
c:\windows\system32\rejobedil._dl
c:\windows\system32\ulacesa.inf
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\yqeb.reg
c:\windows\system32\ysyrobohaj.scr
c:\windows\tipok.dl
c:\windows\unataqu._dl
c:\windows\utolimasu.exe
c:\windows\vizeqodub.dl
c:\windows\xubifobaf._dl
c:\windows\ybewy.dll
c:\windows\yjedywymav.exe

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-05 17:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-05 17:42 . 2009-10-05 17:42 -------- d--h--w- c:\windows\PIF
2009-10-05 13:17 . 2009-10-05 13:17 11942 ----a-w- c:\windows\ylidazuse.dat
2009-10-05 00:13 . 2009-10-05 00:13 -------- d-----w- c:\program files\Temp
2009-10-05 00:12 . 2009-10-05 00:12 -------- d-----w- c:\program files\Ttemp
2009-10-03 19:56 . 2009-10-05 00:11 -------- d-----w- c:\program files\Trend Micro
2009-10-03 19:49 . 2009-10-03 19:49 -------- d-----w- c:\program files\ERUNT
2009-10-01 20:16 . 2009-10-01 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 18:28 . 2009-10-01 20:33 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-01 18:05 . 2009-10-01 18:05 14893 ----a-w- c:\windows\yhiqyxe.dat
2009-10-01 17:49 . 2009-10-01 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-01 17:48 . 2009-10-01 17:48 -------- d-----w- c:\program files\Common Files\iS3
2009-10-01 17:48 . 2009-10-01 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-10-01 13:11 . 2009-10-01 13:11 10501 ----a-w- c:\windows\urihito.dat
2009-10-01 04:12 . 2009-10-01 04:12 17640 ----a-w- c:\windows\unedoto.com
2009-10-01 04:12 . 2009-10-01 04:12 11951 ----a-w- c:\windows\okokejo.dat
2009-10-01 04:05 . 2009-10-01 04:05 12362 ----a-w- c:\windows\zapi.dat
2009-10-01 03:29 . 2009-10-05 13:16 0 ----a-r- c:\windows\win32k.sys
2009-10-01 03:29 . 2009-10-01 03:29 57856 ----a-w- C:\vklebc.exe
2009-10-01 03:29 . 2009-10-01 03:29 46592 ----a-w- C:\hrngen.exe
2009-10-01 03:29 . 2009-10-01 03:29 52736 ----a-w- C:\afuqr.exe
2009-10-01 03:29 . 2009-10-01 03:29 12288 ----a-w- C:\qtpjjuur.exe
2009-10-01 03:29 . 2009-10-01 03:29 6144 ----a-w- C:\avjelge.exe
2009-10-01 03:28 . 2009-10-01 03:29 79360 ----a-w- C:\aefxixl.exe
2009-10-01 03:28 . 2009-10-01 03:29 17920 ----a-w- C:\qgferewy.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 17:43 . 2008-10-24 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 17:28 . 2008-10-24 21:45 -------- d-----w- c:\program files\McAfee
2009-10-05 16:04 . 2008-10-25 02:31 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-05 13:17 . 2009-10-05 13:17 15281 ----a-w- c:\program files\Common Files\exagim._sy
2009-10-01 20:37 . 2008-10-24 14:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 04:12 . 2009-10-01 04:12 10079 ----a-w- c:\documents and settings\Raymond\Application Data\uwudorexiq.dat
2009-09-29 20:05 . 2009-02-11 13:00 -------- d-----w- c:\documents and settings\Raymond\Application Data\U3
2009-09-28 13:37 . 2008-10-24 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-16 16:32 . 2008-10-24 21:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-08 17:44 . 2008-10-24 21:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2008-10-24 21:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2008-10-24 21:45 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2008-10-24 21:45 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2008-10-24 21:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\Raymond\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-10-29 253952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-mserv - c:\documents and settings\Raymond\Application Data\svcst.exe
HKLM-Run-eDataSecurity Loader - c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 13:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3492)
c:\program files\Logitech\iTouch\iTchHk.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-10-05 14:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 18:03

Pre-Run: 67,637,608,448 bytes free
Post-Run: 69,542,277,120 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

333 --- E O F --- 2008-10-23 20:20
 
Great Job!

Wow, that is quite a collection of stuff you picked up there.

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\urihito.dat
c:\windows\unedoto.com
c:\windows\okokejo.dat
c:\windows\zapi.dat
c:\windows\win32k.sys
C:\vklebc.exe
C:\hrngen.exe
C:\afuqr.exe
C:\qtpjjuur.exe
C:\avjelge.exe
C:\aefxixl.exe
C:\qgferewy.exe
c:\windows\ylidazuse.dat
c:\windows\yhiqyxe.dat


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif



5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt \

Also see if you can run the Winkdiag tool I had advised earlier and post that log.
 
Here is the latest log.
Going to run Win32kdiag.exe next.

ComboFix 09-10-04.01 - Raymond 10/05/2009 14:49.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.657 [GMT -4:00]
Running from: c:\documents and settings\Raymond\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Raymond\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

FILE ::
"C:\aefxixl.exe"
"C:\afuqr.exe"
"C:\avjelge.exe"
"C:\hrngen.exe"
"C:\qgferewy.exe"
"C:\qtpjjuur.exe"
"C:\vklebc.exe"
"c:\windows\okokejo.dat"
"c:\windows\unedoto.com"
"c:\windows\urihito.dat"
"c:\windows\win32k.sys"
"c:\windows\yhiqyxe.dat"
"c:\windows\ylidazuse.dat"
"c:\windows\zapi.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\aefxixl.exe
C:\afuqr.exe
C:\avjelge.exe
C:\hrngen.exe
C:\qgferewy.exe
C:\qtpjjuur.exe
C:\vklebc.exe
c:\windows\okokejo.dat
c:\windows\unedoto.com
c:\windows\urihito.dat
c:\windows\win32k.sys
c:\windows\yhiqyxe.dat
c:\windows\ylidazuse.dat
c:\windows\zapi.dat

.
((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-05 17:55 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-05 17:42 . 2009-10-05 17:42 -------- d--h--w- c:\windows\PIF
2009-10-05 00:13 . 2009-10-05 00:13 -------- d-----w- c:\program files\Temp
2009-10-05 00:12 . 2009-10-05 00:12 -------- d-----w- c:\program files\Ttemp
2009-10-03 19:56 . 2009-10-05 00:11 -------- d-----w- c:\program files\Trend Micro
2009-10-03 19:49 . 2009-10-03 19:49 -------- d-----w- c:\program files\ERUNT
2009-10-01 20:16 . 2009-10-01 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-01 18:28 . 2009-10-05 17:58 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-01 17:49 . 2009-10-01 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-10-01 17:48 . 2009-10-01 17:48 -------- d-----w- c:\program files\Common Files\iS3
2009-10-01 17:48 . 2009-10-01 18:27 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 17:43 . 2008-10-24 14:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-05 17:28 . 2008-10-24 21:45 -------- d-----w- c:\program files\McAfee
2009-10-05 16:04 . 2008-10-25 02:31 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-10-05 13:17 . 2009-10-05 13:17 15281 ----a-w- c:\program files\Common Files\exagim._sy
2009-10-01 20:37 . 2008-10-24 14:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-01 04:12 . 2009-10-01 04:12 10079 ----a-w- c:\documents and settings\Raymond\Application Data\uwudorexiq.dat
2009-09-29 20:05 . 2009-02-11 13:00 -------- d-----w- c:\documents and settings\Raymond\Application Data\U3
2009-09-28 13:37 . 2008-10-24 21:40 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-16 16:32 . 2008-10-24 21:45 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-08 17:44 . 2008-10-24 21:46 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 17:44 . 2008-10-24 21:46 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 17:44 . 2008-10-24 21:45 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 17:44 . 2008-10-24 21:45 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 17:43 . 2008-10-24 21:46 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-04 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"HPWUTOOLBOX"="c:\program files\HP\HP Officejet Pro K550 Series\Toolbox\HPWUTBX.exe" [2005-07-23 352256]
"zBrowser Launcher"="c:\program files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-10-24 136600]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-17 16207872]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2006-05-16 2879488]

c:\documents and settings\Raymond\Start Menu\Programs\Startup\
DING!.lnk - c:\program files\Southwest Airlines\Ding\Ding.exe [2006-6-22 462848]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ImageMixer 3 SE Camera Monitor for SD.lnk - c:\program files\PIXELA\ImageMixer 3 SE for SD\CameraMonitor.exe [2008-10-29 253952]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\eLock2BurnerLockDriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\eLock2FSCTLDriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]

2009-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2008-10-24 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2009-10-05 14:55
ComboFix-quarantined-files.txt 2009-10-05 18:55
ComboFix2.txt 2009-10-05 18:03

Pre-Run: 69,555,388,416 bytes free
Post-Run: 69,546,696,704 bytes free

180 --- E O F --- 2008-10-23 20:20
 
Unable to run 'win32kdiag.exe'.


DOS window opens up, then an error message.

'16 bit MS-DOS Subsystem'
C:\DOCUME~1\Raymond\Desktop\WIN32K~1.EXE
The NTVDM CPU has encountered an illegal instruction.
CS:0536 IP:0111 OP:63 72 69 70 74 Choose 'Close' to terminate application.
 
Let's do some other scans

STEP 1:

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.

STEP 2:

We Need to check for Rootkits with RootRepeal
  1. Download RootRepeal from the following location and save it to your desktop.
  2. Extract RootRepeal.exe from the archive.
  3. Open
    rootRepealDesktopIcon.png
    on your desktop.
  4. Click the
    reportTab.png
    tab.
  5. Click the
    btnScan.png
    button.
  6. Check all seven boxes:
    checkBoxes2.png
  7. Push Ok
  8. Check the box for your main system drive (Usually C:), and press Ok.
  9. Allow RootRepeal to run a scan of your system. This may take some time.
  10. Once the scan completes, push the
    saveReport.png
    button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.
 
Here is the DDS.txt file

DDS (Ver_09-09-29.01) - NTFSx86
Run by Raymond at 18:39:48.34 on Mon 10/05/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.582 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\Raymond\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.kitco.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\eRAgent.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPWUTOOLBOX] c:\program files\hp\hp officejet pro k550 series\toolbox\HPWUTBX.exe "-i"
mRun: [zBrowser Launcher] c:\program files\logitech\itouch\iTouch.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\raymond\startm~1\programs\startup\ding!.lnk - c:\program files\southwest airlines\ding\Ding.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\imagem~1.lnk - c:\program files\pixela\imagemixer 3 se for sd\CameraMonitor.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {32505657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-24 214024]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-24 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-10-24 144704]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-24 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-24 35272]
S2 0143791254781135mcinstcleanup;McAfee Application Installer Cleanup (0143791254781135);c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\014379~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S2 eLock2BurnerLockDriver;eLock2BurnerLockDriver;\??\c:\windows\system32\elock2burnerlockdriver.sys --> c:\windows\system32\eLock2BurnerLockDriver.sys [?]
S2 eLock2FSCTLDriver;eLock2FSCTLDriver;\??\c:\windows\system32\elock2fsctldriver.sys --> c:\windows\system32\eLock2FSCTLDriver.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-24 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-24 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-10-24 606736]

=============== Created Last 30 ================

2009-10-05 13:55 50,176 a------- c:\windows\system32\proquota.exe
2009-10-05 13:49 <DIR> a-dshr-- C:\cmdcons
2009-10-05 13:48 229,888 a------- c:\windows\PEV.exe
2009-10-05 13:48 161,792 a------- c:\windows\SWREG.exe
2009-10-05 13:48 98,816 a------- c:\windows\sed.exe
2009-10-05 13:42 <DIR> --d-h--- c:\windows\PIF
2009-10-04 20:13 <DIR> --d----- c:\program files\Temp
2009-10-04 20:12 <DIR> --d----- c:\program files\Ttemp
2009-10-03 15:56 <DIR> --d----- c:\program files\Trend Micro
2009-10-01 14:28 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-01 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-10-01 13:48 <DIR> --d----- c:\program files\common files\iS3
2009-10-01 13:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-10-01 13:11 <DIR> --d----- c:\windows\pss
2009-10-01 00:12 17,891 a------- c:\windows\xysewo._sy
2009-10-01 00:12 15,594 a------- c:\windows\hufy.lib
2009-10-01 00:12 10,079 a------- c:\docume~1\raymond\applic~1\uwudorexiq.dat
2009-10-01 00:05 17,340 a------- c:\windows\system32\anawan._sy

==================== Find3M ====================

2009-10-05 09:17 15,281 a------- c:\program files\common files\exagim._sy

============= FINISH: 18:39:59.35 ===============
 
Here is the Attach.txt file
Proceeding with Step 2 of instructions.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/23/2008 12:52:59 PM
System Uptime: 10/5/2009 1:59:15 PM (5 hours ago)

Motherboard: Acer | | E946GZ
Processor: Intel(R) Pentium(R) D CPU 3.00GHz | Socket 775 | 3000/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 147 GiB total, 64.785 GiB free.
D: is FIXED (FAT32) - 1 GiB total, 1.449 GiB free.
E: is FIXED (NTFS) - 466 GiB total, 347.149 GiB free.
F: is FIXED (NTFS) - 932 GiB total, 561.121 GiB free.
G: is CDROM ()
H: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP281: 10/5/2009 1:58:22 PM - System Checkpoint

==== Installed Programs ======================

AAC Decoder
Adobe Acrobat 7.0 Standard
Adobe Acrobat 7.1.0 Standard
Adobe Flash Player 10 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Apple Software Update
AutoUpdate
DING!
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
ERUNT 1.1j
H.264 Decoder
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Officejet Pro K550 Series
ImageMixer 3 SE for SD
Intel(R) Graphics Media Accelerator Driver
Java(TM) 6 Update 10
LightScribe 1.4.74.1
Logitech iTouch Software
McAfee SecurityCenter
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Misc
MKV Splitter
Mozilla Thunderbird (2.0.0.23)
News Rover
NTI Backup NOW! 4
NTI CD & DVD-Maker
OCA Client history tool install
PowerDVD
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player (KB911564)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Spybot - Search & Destroy
The Works of W. Cleon Skousen Version 3.0.1
Toolbox
Trader Workstation 4.0
UGuide
Update for Windows XP (KB951072-v2)
VC80CRTRedist - 8.0.50727.762
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

9/30/2009 10:11:03 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume .
9/28/2009 9:18:48 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
9/28/2009 8:50:34 AM, error: Service Control Manager [7000] - The eLock2FSCTLDriver service failed to start due to the following error: The system cannot find the file specified.
9/28/2009 8:50:33 AM, error: Service Control Manager [7000] - The eLock2BurnerLockDriver service failed to start due to the following error: The system cannot find the file specified.
10/5/2009 9:22:08 AM, error: Service Control Manager [7000] - The McAfee Scanner service failed to start due to the following error: Access is denied.
10/5/2009 9:22:08 AM, error: DCOM [10005] - DCOM got error "%5" attempting to start the service MCODS with arguments "" in order to run the server: {C98F04D7-CD30-4BB0-B7D7-8DD7448520F2}
10/5/2009 1:58:00 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file 'KB912812' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
10/5/2009 1:51:29 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:49:17 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
10/5/2009 1:48:47 PM, error: Service Control Manager [7023] - The Automatic Updates service terminated with the following error: The specified module could not be found.

==== End Of File ===========================
 
Here is the text file from Step 2.
Also, I have 2 other hard drives that are data files only.
Let me know if those should be scanned with these tools.

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/05 18:52
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\Combo-Fix\catchme.sys
Address: 0xF787C000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF763C000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA9FDC000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7ADE000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP90.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP90.SYS
Address: 0xF7B60000 Size: 6464 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF7013000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==
 
You must log in or register to reply here.
Back
Top