62 replies to this topic

[Jazza]

Hi there, Downloaded and ran something i shouldn't have and am now paying for it. I get a vbalsgrid error when I try to run MBAM.
After reading a bit in the forums I've also downloaded and run combofix whose log follows. Any help would be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 11:53:36 PM, on 4/19/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\HijackThis\DS.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Update Service (gupdate1c9a471a42bfa18) (gupdate1c9a471a42bfa18) - Unknown owner - C:\Program Files\Google\Update\GoogleUpdate.exe" /svc (file missing)
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


ComboFix 09-04-19.05 - Guru 04/19/2009 23:31.2 - NTFSx86
Running from: c:\documents and settings\Guru\Desktop\Combo-Fix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-03-19 to 2009-04-19 )))))))))))))))))))))))))))))))
.

2009-04-18 00:31 . 2004-02-10 16:32 491520 ----a-w c:\windows\system32\vbalSGrid6.ocx
2009-04-16 23:40 . 2009-04-16 23:40 -------- d-sh--r c:\windows\system32\svchost
2009-04-15 23:39 . 2009-04-19 14:45 -------- d-----w c:\documents and settings\All Users\Application Data\BOINC
2009-04-14 09:56 . 2009-04-14 09:56 3532 ----a-w C:\drmHeader.bin
2009-03-30 05:33 . 2009-03-30 05:33 828160 ----a-w c:\windows\boinc.scr
2009-03-23 08:20 . 2009-03-23 08:20 -------- d-----w c:\documents and settings\Guru\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-19 15:28 . 2009-01-10 04:13 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-18 00:09 . 2008-11-02 00:50 -------- d-----w c:\documents and settings\Guru\Application Data\uTorrent
2009-04-15 23:40 . 2009-04-15 23:39 -------- d-----w c:\program files\BOINC
2009-04-14 12:04 . 2009-03-14 06:53 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-13 01:00 . 2009-04-13 01:00 -------- d-----w c:\program files\Intelore
2009-04-06 07:32 . 2009-01-10 04:13 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 07:32 . 2009-01-10 04:13 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-22 23:27 . 2009-03-22 23:27 -------- d-----w c:\program files\DivX
2009-03-14 06:55 . 2009-03-14 06:53 -------- d-----w c:\program files\Google
2009-03-01 08:48 . 2009-03-01 08:48 -------- d-----w c:\program files\Common Files\NSV
2009-02-21 09:04 . 2008-11-01 03:15 -------- d--h--w c:\program files\InstallShield Installation Information
2009-02-13 08:05 . 2009-02-13 08:05 410984 ----a-w c:\windows\system32\deploytk.dll
2009-01-25 05:15 . 2009-01-25 05:15 0 ----a-w C:\NdoorsLog.txt
2008-12-14 14:56 . 2008-11-01 03:12 18968 ----a-w c:\documents and settings\Guru\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 05:45 . 2008-11-04 05:45 127 ----a-w c:\documents and settings\Guru\Local Settings\Application Data\fusioncache.dat
2008-12-26 03:00 . 2008-11-01 03:09 16384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-12-26 03:00 . 2008-11-01 03:09 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-12-26 03:00 . 2008-12-26 03:00 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122620081227\index.dat
2008-12-26 03:00 . 2008-11-01 03:09 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

[-] 2007-11-30 23:26 14336 0C82B0AE50BB2BC8A96A753F4EDC495F c:\windows\system32\svchost.exe

[-] 2007-11-30 23:26 578560 6C74C62ECDC3981A7F1F8F1656B27871 c:\windows\system32\user32.dll

[-] 2007-11-30 23:26 82432 36F8F7A2EF12ED817FC16C3248E39092 c:\windows\system32\ws2_32.dll

[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2GDR\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2QFE\wininet.dll
[-] 2007-12-29 14:04 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\system32\wininet.dll

[-] 2007-12-29 14:05 361344 25FA97DFFD06153B735BFB7AD359BC65 c:\windows\system32\drivers\tcpip.sys

[-] 2007-11-30 23:26 507904 45FFE966290B9C4BA659325561DE4830 c:\windows\system32\winlogon.exe

[-] 2007-11-30 17:18 182656 D1B364F049EB84A883C8A45D3B92FF3B c:\windows\system32\drivers\ndis.sys

[-] 2007-11-30 16:44 36608 EF9BB587E33C2C245B5B83E882501FF6 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-08-14 06:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-12-29 14:43 2227072 7CD93F0F8149EFE5AED4A8C0195004DB c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\ntkrnlpa.exe

[-] 2008-08-14 07:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-12-29 14:00 2350208 17A60CD35FBE6DD5BEAAF93BED6138B8 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\ntoskrnl.exe

[-] 2007-11-30 23:26 1033728 E0EE428F4777A3CD8760BAD61F87ABED c:\windows\explorer.exe

[-] 2007-11-30 23:26 108544 76727219614A50B2DB29BD0CDA4260D5 c:\windows\system32\services.exe

[-] 2007-11-30 23:26 13312 4DD0637AE896EB8E00DF331D1CCCFC5C c:\windows\system32\lsass.exe

[-] 2007-11-30 23:26 15360 E6735D6E15457E06FEDE517051AF0D70 c:\windows\system32\ctfmon.exe

[-] 2007-11-30 23:26 57856 0DD64932B9A6394B53222B7FD294D12A c:\windows\system32\spoolsv.exe

[-] 2007-11-30 23:26 26112 813B2E9C4CAEA05FBA51A442FAB7A95D c:\windows\system32\userinit.exe

[-] 2007-11-30 23:26 295424 03178DA1A2B7C9B918E5062B2080D732 c:\windows\system32\termsrv.dll

[-] 2007-11-30 23:25 989696 64B3A42738CE5BFB1A4B96971521329A c:\windows\system32\kernel32.dll

[-] 2007-11-30 23:25 17408 CDD4433EDE84A9266363507111095B4E c:\windows\system32\powrprof.dll

[-] 2007-11-30 23:25 110080 934986D43BF2B0734E6BC33130CB163D c:\windows\system32\imm32.dll

[-] 2007-12-29 14:43 1613824 6EB0FCD71AAB8E5378321475AE8DB732 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-11-30 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 1443072]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-03-30 4178688]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-03-30 58112]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-12-29 123904]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Guru\\Desktop\\utorrent.exe"=

R2 gupdate1c9a471a42bfa18;Google Update Service (gupdate1c9a471a42bfa18);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-02-20 472320]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Dnscache
*Deregistered* - eamon
*Deregistered* - easdrv
*Deregistered* - ekrn
*Deregistered* - epfwtdir
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - seclogon
*Deregistered* - sr
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 13:38]

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 06:53]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Guru\Application Data\Mozilla\Firefox\Profiles\nknx870v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 23:32
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-19 23:33
ComboFix-quarantined-files.txt 2009-04-19 15:33
ComboFix2.txt 2009-04-19 15:11

Pre-Run: 73,124,216,832 bytes free
Post-Run: 73,116,123,136 bytes free

201 --- E O F --- 2008-12-25 18:00

[AdvancedSetup]

STEP 01
Please update HJT
Your version: HijackThis v1.99.1
Current version: HijackThis v2.0.2

[indent]Update TrendMicro™ HijackThis™
Your version of TrendMicro™ HijackThis™ is outdated. You need to download and install the latest version 2.0.2

• Download HJTInstall.exe to your desktop.
  
• Doubleclick HJTInstall.exe to install HijackThis.
  
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
  
• It will create a HijackThis icon on your desktop.
  
• Once installed, it will launch HijackThis.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
  
• You can delete the old version of HJT, located here: C:\Program Files\HijackThis\DS.exe

[/indent]

STEP 02
Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

If you're unable to connect and get an update you can copy the rules.ref from this location on another clean computer.
C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware back over to the infected computer.

STEP 03
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

STEP 04

Please create a BOOTLOG

• Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  
• Select "Enable Boot Logging" option and press enter.
  
• Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  
• This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
   
  If you're already running inside Windows you can enable it the following way.
   
  
• Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  
• Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  
• After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  
• From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  
• NOTE: If the file is over about 150 lines or so then DELETE the C:\Windows\ntbtlog.txt file and restart the computer and post the NEW one it creates.
  
• NOTE: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  
• The tab is called BOOT on Vista. Then choose Boot log

STEP 05
RootRepeal - Rootkit Detector
[indent]

• Please download the following tool: RootRepeal - Rootkit Detector
  
• Direct download link is here: RootRepeal.rar
  
• If you don't already have a program to open a .RAR compressed file you can download a trial version from here: WinRAR
  
• Extract the program file to a new folder such as C:\RootRepeal
  
• Run the program RootRepeal.exe and go to the REPORT tab and click on the Scan button
  
• Select ALL of the checkboxes and then click OK and it will start scanning your system.
  
• If you have multiple drives you only need to check the C: drive or the one Windows is installed on.
  
• When done, click on Save Report
  
• Save it to the same location where you ran it from, such as C:\RootRepeal
  
• Save it as your_name_rootrepeal.txt - where your_name is your forum name
  
• This makes it more easy to track who the log belongs to.
  
• Then open that log and select all and copy/paste it back on your next reply please.
  
• Quit the RootRepeal program.

[/indent]

[Jazza]

AdvancedSetup, on Apr 24 2009, 02:14 AM, said:

STEP 01
Please update HJT
Your version: HijackThis v1.99.1
Current version: HijackThis v2.0.2
Done logfile follows:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:31 PM, on 4/24/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-21-1390067357-2049760794-682003330-1003 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9a471a42bfa18) (gupdate1c9a471a42bfa18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4844 bytes


STEP 02
Update and Scan with Malwarebytes' Anti-Malware

Then post back the MBAM log and a new Hijackthis log.

Runtime error 372 Failed to load "Vbalgrid" from vbalsgrid6.ocx. Your version of vbalsgrid6.ocx may be outdated. Make sure you are using the version of the control that was provided with your application.

STEP 03
[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

done
Attach.txt
==== Installed Programs ======================

µTorrent
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Athlon 64 Processor Driver
Atlantica Online
AutoUpdate
Bejeweled 2 Deluxe
BOINC
DivX Codec
DivX Converter
DivX Web Player
Driver Genius Professional Edition
DUNGEONS & DRAGONS ONLINE™: Stormreach™ v01.07.00.8160
ESET NOD32 Antivirus
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Java™ 6 Update 12
Malwarebytes' Anti-Malware
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.8)
NVIDIA Drivers
NVIDIA PhysX v8.09.04
OpenOffice.org 3.0
RAR Password Recovery v1.1 RC16 (remove only)
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Vista System Properties
WebFldrs XP
Winamp
Windows Media Format 11 runtime
Windows Media Player 11
ZipGenius 6 (6.0.3.1150)

==== End Of File ===========================

DDS.txt

DDS (Ver_09-03-16.01) - NTFSx86
Run by Guru at 18:00:54.34 on Fri 04/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12

============== Pseudo HJT Report ===============

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [boincmgr] "c:\program files\boinc\boincmgr.exe" /a /s
mRun: [boinctray] "c:\program files\boinc\boinctray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\guru\applic~1\mozilla\firefox\profiles\nknx870v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-04-24 16:38 <DIR> --d----- c:\windows\pss
2009-04-24 16:36 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-24 16:36 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-24 16:36 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-21 06:40 14,336 a------- c:\windows\system32\svchost.exe
2009-04-20 01:06 94,208 a------- c:\windows\system32\vbalIml6.ocx
2009-04-20 01:06 40,960 a------- c:\windows\system32\SSubTmr6.dll
2009-04-19 23:31 <DIR> --d----- C:\Combo-Fix
2009-04-19 23:07 <DIR> a-dshr-- C:\cmdcons
2009-04-19 23:06 161,792 a------- c:\windows\SWREG.exe
2009-04-19 23:06 98,816 a------- c:\windows\sed.exe
2009-04-19 22:39 <DIR> --d----- c:\windows\system32\appmgmt
2009-04-18 08:31 491,520 a------- c:\windows\system32\vbalSGrid6.ocx
2009-04-17 07:40 <DIR> --dshr-- c:\windows\system32\svchost
2009-04-16 07:39 <DIR> --d----- c:\program files\BOINC
2009-04-16 07:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BOINC
2009-04-13 09:00 <DIR> --d----- c:\program files\Intelore
2009-03-30 13:33 828,160 a------- c:\windows\boinc.scr

==================== Find3M ====================

2009-02-13 16:05 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-26 11:00 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-12-26 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-12-26 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008122620081227\index.dat
2008-12-26 11:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 18:00:59.31 ===============


STEP 04
[list]Please create a BOOTLOG

big file attached

STEP 05
RootRepeal - Rootkit Detector
[indent][list]

ROOTREPEAL © AD, 2007-2008
==================================================
Scan Time: 2009/04/24 16:41
Program Version: Version 1.2.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF16E5000 Size: 98304 File Visible: No
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B04000 Size: 8192 File Visible: No
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6936000 Size: 45056 File Visible: No
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\Guru\Local Settings\temp\etilqs_Igab71GucWz377g7yF1Q
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\Guru\Local Settings\temp\etilqs_WXDYnb4XwX7fSkuBrDks
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Documents and Settings\All Users\Application Data\BOINC\slots\2\fold.dat
Status: Size mismatch (API: 2621440, Raw: 0)

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Backstreet Boys - Show Me the Meaning of Being Lonely.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Barry White - You're The First, The Last, My Everything .mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Nick Cave & Kylie Minogue - Where The Wild Roses Grow.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Celine Dion, Gloria Estefan, Shania Twain & Carole King - You'Ve Got A Friend.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Natalie Cole - Unforgettable (Duet With Nat King Cole).mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Willie Nelson & Julio Iglesias - To All the Women I've Loved Before.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Bill Medley & Jennifer Warner - I've Had the Time of my Life.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Elton John, Blue - Sorry Seems To Be The Hardest Word.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Elton John, George Michael - Don't Let The Sun Go Down On Me.wma
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Elvis Presley - I Can'T Help Falling In Love With You.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Michael Bolton - How Am I Supposed To Live Without You.mp3
Status: Locked to the Windows API!

Path: C:\Documents and Settings\Guru\My Documents\My Music\Slow Dance, Love Songs & Rock Ballads - Best Ever Collection\Compilation - The Best Slow Dance, Love Songs & Rock Ballads Collection Ever (190 Songs)\Four Seasons - December 1963 (Oh What A Night) (80'S Remix).mp3
Status: Locked to the Windows API!

Done and done thanks for your help

[AdvancedSetup]

Well I don't see the attached files. Delete your bootlog file and then restart the computer and it will now be small enough to post, so please do post a new one directly into your next reply.

Please don't quote and fill in the blanks as that actually makes it more difficult to read, thanks.


Then please also run the following, again please do not use any Quotes or other formatting just post the results back directly.

[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

[/indent]

[Jazza]

Ok, sorry about that formatting it didn't look very neat, here's the new ntbtlog:

Service Pack 3, v.5657 4 25 2009 12:35:02.500
Loaded driver \WINDOWS\system32\ntkrnlpa.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver ohci1394.sys
Loaded driver \WINDOWS\system32\DRIVERS\1394BUS.SYS
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver dmload.sys
Loaded driver dmio.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltMgr.sys
Loaded driver sr.sys
Loaded driver PxHelp20.sys
Loaded driver KSecDD.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\nic1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\AmdK8.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\drivers\ALCXWDM.SYS
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\yk51x86.sys
Loaded driver \SystemRoot\system32\DRIVERS\nvnetbus.sys
Loaded driver \SystemRoot\system32\DRIVERS\nv4_mini.sys
Loaded driver \SystemRoot\system32\DRIVERS\ASACPI.sys
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\drivers\msmpu401.sys
Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdpdr.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\system32\DRIVERS\epfwtdir.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\system32\DRIVERS\processr.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\system32\DRIVERS\arp1394.sys
Loaded driver \SystemRoot\system32\DRIVERS\hidusb.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouhid.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\easdrv.sys
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ndisuio.sys
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Loaded driver \SystemRoot\system32\DRIVERS\eamon.sys
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys

and combofix:

ComboFix 09-04-25.03 - Guru 04/25/2009 12:43.3 - NTFSx86
Running from: c:\documents and settings\Guru\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 08:36 . 2009-04-06 07:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-24 08:36 . 2009-04-06 07:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-20 22:40 . 2007-11-30 23:26 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-19 17:06 . 2003-03-31 23:36 94208 ----a-w c:\windows\system32\vbalIml6.ocx
2009-04-19 17:06 . 2003-01-26 05:41 40960 ----a-w c:\windows\system32\SSubTmr6.dll
2009-04-18 00:31 . 2004-02-10 16:32 491520 ----a-w c:\windows\system32\vbalSGrid6.ocx
2009-04-16 23:40 . 2009-04-16 23:40 -------- d-sh--r c:\windows\system32\svchost
2009-04-15 23:39 . 2009-04-25 04:37 -------- d-----w c:\documents and settings\All Users\Application Data\BOINC
2009-03-30 05:33 . 2009-03-30 05:33 828160 ----a-w c:\windows\boinc.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-24 08:36 . 2009-04-24 08:36 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-23 21:52 . 2008-11-02 00:50 -------- d-----w c:\documents and settings\Guru\Application Data\uTorrent
2009-04-15 23:40 . 2009-04-15 23:39 -------- d-----w c:\program files\BOINC
2009-04-14 12:04 . 2009-03-14 06:53 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-04-13 01:00 . 2009-04-13 01:00 -------- d-----w c:\program files\Intelore
2009-03-23 08:20 . 2009-03-23 08:20 -------- d-----w c:\documents and settings\Guru\Application Data\DivX
2009-03-22 23:27 . 2009-03-22 23:27 -------- d-----w c:\program files\DivX
2009-03-14 06:55 . 2009-03-14 06:53 -------- d-----w c:\program files\Google
2009-03-01 08:48 . 2009-03-01 08:48 -------- d-----w c:\program files\Common Files\NSV
2009-02-13 08:05 . 2009-02-13 08:05 410984 ----a-w c:\windows\system32\deploytk.dll
2009-01-25 05:15 . 2009-01-25 05:15 0 ----a-w C:\NdoorsLog.txt
2008-12-14 14:56 . 2008-11-01 03:12 18968 ----a-w c:\documents and settings\Guru\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-11-04 05:45 . 2008-11-04 05:45 127 ----a-w c:\documents and settings\Guru\Local Settings\Application Data\fusioncache.dat
2008-12-26 03:00 . 2008-11-01 03:09 16384 --sha-w c:\windows\system32\config\systemprofile\Cookies\index.dat
2008-12-26 03:00 . 2008-11-01 03:09 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
2008-12-26 03:00 . 2008-12-26 03:00 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122620081227\index.dat
2008-12-26 03:00 . 2008-11-01 03:09 32768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.

------- Sigcheck -------

[-] 2007-11-30 23:26 14336 0C82B0AE50BB2BC8A96A753F4EDC495F c:\windows\system32\svchost.exe

[-] 2007-11-30 23:26 578560 6C74C62ECDC3981A7F1F8F1656B27871 c:\windows\system32\user32.dll

[-] 2007-11-30 23:26 82432 36F8F7A2EF12ED817FC16C3248E39092 c:\windows\system32\ws2_32.dll

[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2GDR\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2QFE\wininet.dll
[-] 2007-12-29 14:04 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\system32\wininet.dll

[-] 2007-12-29 14:05 361344 25FA97DFFD06153B735BFB7AD359BC65 c:\windows\system32\drivers\tcpip.sys

[-] 2007-11-30 23:26 507904 45FFE966290B9C4BA659325561DE4830 c:\windows\system32\winlogon.exe

[-] 2007-11-30 17:18 182656 D1B364F049EB84A883C8A45D3B92FF3B c:\windows\system32\drivers\ndis.sys

[-] 2007-11-30 16:44 36608 EF9BB587E33C2C245B5B83E882501FF6 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-08-14 06:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-12-29 14:43 2227072 7CD93F0F8149EFE5AED4A8C0195004DB c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\ntkrnlpa.exe

[-] 2008-08-14 07:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-12-29 14:00 2350208 17A60CD35FBE6DD5BEAAF93BED6138B8 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\ntoskrnl.exe

[-] 2007-11-30 23:26 1033728 E0EE428F4777A3CD8760BAD61F87ABED c:\windows\explorer.exe

[-] 2007-11-30 23:26 108544 76727219614A50B2DB29BD0CDA4260D5 c:\windows\system32\services.exe

[-] 2007-11-30 23:26 13312 4DD0637AE896EB8E00DF331D1CCCFC5C c:\windows\system32\lsass.exe

[-] 2007-11-30 23:26 15360 E6735D6E15457E06FEDE517051AF0D70 c:\windows\system32\ctfmon.exe

[-] 2007-11-30 23:26 57856 0DD64932B9A6394B53222B7FD294D12A c:\windows\system32\spoolsv.exe

[-] 2007-11-30 23:26 26112 813B2E9C4CAEA05FBA51A442FAB7A95D c:\windows\system32\userinit.exe

[-] 2007-11-30 23:26 295424 03178DA1A2B7C9B918E5062B2080D732 c:\windows\system32\termsrv.dll

[-] 2007-11-30 23:25 989696 64B3A42738CE5BFB1A4B96971521329A c:\windows\system32\kernel32.dll

[-] 2007-11-30 23:25 17408 CDD4433EDE84A9266363507111095B4E c:\windows\system32\powrprof.dll

[-] 2007-11-30 23:25 110080 934986D43BF2B0734E6BC33130CB163D c:\windows\system32\imm32.dll

[-] 2007-12-29 14:43 1613824 6EB0FCD71AAB8E5378321475AE8DB732 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-19_15.10.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-25 04:37 . 2009-04-25 04:37 16384 c:\windows\Temp\Perflib_Perfdata_70c.dat
+ 2008-11-01 03:00 . 2004-08-04 11:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-11-30 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-03-30 4178688]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-03-30 58112]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2007-11-30 169984]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-12-29 123904]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Guru\\Desktop\\utorrent.exe"=

R2 ekrn;Eset Service; [x]
R2 gupdate1c9a471a42bfa18;Google Update Service (gupdate1c9a471a42bfa18);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Dnscache
*Deregistered* - eamon
*Deregistered* - easdrv
*Deregistered* - epfwtdir
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - seclogon
*Deregistered* - sr
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - wuauserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 13:38]

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 06:53]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Guru\Application Data\Mozilla\Firefox\Profiles\nknx870v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 12:44
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-25 12:45
ComboFix-quarantined-files.txt 2009-04-25 04:44
ComboFix2.txt 2009-04-19 15:33
ComboFix3.txt 2009-04-19 15:11

Pre-Run: 72,725,864,448 bytes free
Post-Run: 72,719,970,304 bytes free

211 --- E O F --- 2008-12-25 18:00

[Jazza]

And a new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:37 PM, on 4/25/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-21-1390067357-2049760794-682003330-1003 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9a471a42bfa18) (gupdate1c9a471a42bfa18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4872 bytes

[AdvancedSetup]

Are you editing the Combofix log file? That does not look like a full complete CF log.

Please click on START - RUN and type in MSCONFIG and then select NORMAL STARTUP and reboot the computer.

Then run the following.

Download and install CCleaner

• CCleaner
  
• Double-click on the downloaded file "ccsetup218.exe" and install the application.
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
• Click finish when done and close ALL PROGRAMS
  
• Start the CCleaner program.
  
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
• Click on Run Cleaner button on the bottom right side of the program.
  
• Click OK to any prompts

Please download to your Desktop: Dr.Web CureIt

• After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  
• Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  
• Once the short scan has finished, Click on the Complete scan radio button.
  
• Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  
• Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  
• On the File types tab ensure you select All files
  
• Click on the Actions tab and set the following:
  
  • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    
  • Infected packages Archive = Move, E-mails = Report, Containers = Move
    
  • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    
  • Do not change the Rename extension - default is: #??
    
  • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    
  • Leave prompt on Action checked
• On the Log file tab leave the Log to file checked.
  
• Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log
  
• Log mode = Append
  
• Encoding = ANSI
  
• Details Leave Names of file packers and Statistics checked.
  
• Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.
  
• On the General tab leave the Scan Priority on High
  
• Click the Apply button at the bottom, and then the OK button.
  
• On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.
  
• In this mode it will scan Boot sectors of all disks, All removable media, and all local drives
  
• The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.
  
• When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.
  
• Click 'Yes to all' if it asks if you want to cure/move the files.
  
• This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your Desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.
  [indent][/indent]

[Jazza]

I'm just cutting and pasting the combofix log I even went through and compared the txt and my post and they are the same. following the rest of your instructions now. Wish me luck

[Jazza]

Ccleaner went without a hitch. Docfixit another issue. It's scanning again now but the first scan stopped. I'm not sure whether it timed out due to no response (had to go out) but before it died it found that combofix had infections in its dir and in the prog itself. perhaps thats why the log looked incomplete to you.

I've restarted the scan. Will keep you posted.

[Jazza]

Hey there,

New Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:29:07 AM, on 4/26/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\BOINC\boinc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-21-1390067357-2049760794-682003330-1003 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9a471a42bfa18) (gupdate1c9a471a42bfa18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4671 bytes


And Drweb:

A0016852.exe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Trojan.PWS.Multi.34;Deleted.;
A0016855.exe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Tool.ShowPass;Moved.;
A0018338.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164\A0018338.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Archive contains infected objects;;
A0018338.exe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Container contains infected objects;Moved.;
A0018432.exe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Trojan.PWS.Multi.34;Deleted.;
A0018467.bat;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Probably BATCH.Virus;Incurable.Moved.;
A0018493.bat;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Probably BATCH.Virus;Incurable.Moved.;
A0018632.exe/data002\32788R22FWJFW\c.bat;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164\A0018632.exe/data002;Probably BATCH.Virus;;
A0018632.exe/data002\32788R22FWJFW\FIND3M.bat;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164\A0018632.exe/data002;Probably BATCH.Virus;;
A0018632.exe/data002\32788R22FWJFW\psexec.cfexe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164\A0018632.exe/data002;Program.PsExec.171;;
data002;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Archive contains infected objects;;
A0018632.exe;C:\System Volume Information\_restore{6467D4EF-AC31-4C81-AB1D-59F1879CCF9C}\RP164;Container contains infected objects;Moved.;
system.exe;C:\WINDOWS\system32\svchost;Trojan.PWS.Multi.34;Deleted.;

[AdvancedSetup]

It appears that svchost may have been infected, at least at one time.
Please make sure you still have a c:\WINDOWS\system32\svchost.exe file on your system...

Please delete any current version of MBAM you may have and now try to download and install a new version.

Update and Scan with Malwarebytes' Anti-Malware

• Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  
• Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
  
  • Update Malwarebytes' Anti-Malware
    
  • Select the Update tab
    
  • Click Update
• When the update is complete, select the Scanner tab
  
• Select Perform quick scan, then click Scan.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Be sure that everything is checked, and click Remove Selected.
  
• When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidently close it, the log file is saved here and will be named like this:
    
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

[Jazza]

Ok, in exact order - after reading your post I downloaded the newest version of the mbam setup program, then I removed mbam using control panel add or remove programs. In the process I got the same runtime error 372 i clicked ok on that and then the computer said that mbam was uninstalled successfully. It then restarted itself without prompting. I ran the new setup program and got the runtime 372 error again. I am about to remove and try using an install downloaded from a clean pc. Will keep u posted

[Jazza]

Hey there again, I tried running MBAM from a setup downloaded from a clean computer and got the same vbalsgrid6.ocx errors. Also windows installer isn't working for adding or removing programs. It wasn't a problem for removing mbam but it was when I tried uninstalling Nod32. Any suggestions? Apart from belting this thing with an axe...

[Jazza]

Sorry here's a new hjt log also svchost is present

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:21:22 AM, on 4/28/2009
Platform: Windows XP SP3, v.5657 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinctray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\BOINC\boinc.exe
C:\Documents and Settings\All Users\Application Data\BOINC\projects\setiathome.berkeley.edu\astropulse_5.03_windows_intelx86.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [boincmgr] "C:\Program Files\BOINC\boincmgr.exe" /a /s
O4 - HKLM\..\Run: [boinctray] "C:\Program Files\BOINC\boinctray.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-1390067357-2049760794-682003330-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - S-1-5-21-1390067357-2049760794-682003330-1003 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User '?')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe (file missing)
O23 - Service: Eset Service (ekrn) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9a471a42bfa18) (gupdate1c9a471a42bfa18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4870 bytes

[Jazza]

Downloaded a new combofix using clean pc here's it's log also:-

ComboFix 09-04-27.02 - Guru 04/28/2009 8:57.4 - NTFSx86
Running from: F:\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-27 23:08 . 2009-04-06 07:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-27 23:08 . 2009-04-06 07:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-27 23:08 . 2009-04-27 23:08 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-25 08:15 . 2009-04-25 08:59 -------- d-----w c:\documents and settings\Guru\DoctorWeb
2009-04-25 07:57 . 2009-04-25 07:57 -------- d-----w c:\program files\CCleaner
2009-04-25 04:43 . 2009-04-25 04:45 -------- d-----w C:\Combo-Fix
2009-04-20 22:40 . 2007-11-30 23:26 14336 ----a-w c:\windows\system32\svchost.exe
2009-04-19 17:06 . 2003-01-26 05:41 40960 ----a-w c:\windows\system32\SSubTmr6.dll
2009-04-16 23:40 . 2009-04-25 15:35 -------- d-sh--r c:\windows\system32\svchost
2009-04-15 23:39 . 2009-04-15 23:40 -------- d-----w c:\program files\BOINC
2009-04-15 23:39 . 2009-04-28 00:51 -------- d-----w c:\documents and settings\All Users\Application Data\BOINC
2009-04-13 01:00 . 2009-04-13 01:00 -------- d-----w c:\program files\Intelore
2009-03-30 05:33 . 2009-03-30 05:33 828160 ----a-w c:\windows\boinc.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-22 23:27 . 2009-03-22 23:27 -------- d-----w c:\program files\DivX
2009-03-14 06:55 . 2009-03-14 06:53 -------- d-----w c:\program files\Google
2009-03-01 08:48 . 2009-03-01 08:48 -------- d-----w c:\program files\Common Files\NSV
2009-02-13 08:05 . 2009-02-13 08:05 410984 ----a-w c:\windows\system32\deploytk.dll
.

------- Sigcheck -------

[-] 2007-11-30 23:26 14336 0C82B0AE50BB2BC8A96A753F4EDC495F c:\windows\system32\svchost.exe

[-] 2007-11-30 23:26 578560 6C74C62ECDC3981A7F1F8F1656B27871 c:\windows\system32\user32.dll

[-] 2007-11-30 23:26 82432 36F8F7A2EF12ED817FC16C3248E39092 c:\windows\system32\ws2_32.dll

[-] 2008-10-16 20:38 826368 6741EAF7B7F110E803A6E38F6E5FA6B0 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2GDR\wininet.dll
[-] 2008-10-16 20:24 827904 0D5B75171FF51775B630A431B6C667E8 c:\windows\SoftwareDistribution\Download\1aada90d3aca2362b0231ac90aa9a9fd\SP2QFE\wininet.dll
[-] 2007-12-29 14:04 818688 A4A0FC92358F39538A6494C42EF99FE9 c:\windows\system32\wininet.dll

[-] 2007-12-29 14:05 361344 25FA97DFFD06153B735BFB7AD359BC65 c:\windows\system32\drivers\tcpip.sys

[-] 2007-11-30 23:26 507904 45FFE966290B9C4BA659325561DE4830 c:\windows\system32\winlogon.exe

[-] 2007-11-30 17:18 182656 D1B364F049EB84A883C8A45D3B92FF3B c:\windows\system32\drivers\ndis.sys

[-] 2007-11-30 16:44 36608 EF9BB587E33C2C245B5B83E882501FF6 c:\windows\system32\drivers\ip6fw.sys

[-] 2008-08-14 06:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[-] 2007-12-29 14:43 2227072 7CD93F0F8149EFE5AED4A8C0195004DB c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[-] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\ntkrnlpa.exe

[-] 2008-08-14 07:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[-] 2007-12-29 14:00 2350208 17A60CD35FBE6DD5BEAAF93BED6138B8 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[-] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\ntoskrnl.exe

[-] 2007-11-30 23:26 1033728 E0EE428F4777A3CD8760BAD61F87ABED c:\windows\explorer.exe

[-] 2007-11-30 23:26 108544 76727219614A50B2DB29BD0CDA4260D5 c:\windows\system32\services.exe

[-] 2007-11-30 23:26 13312 4DD0637AE896EB8E00DF331D1CCCFC5C c:\windows\system32\lsass.exe

[-] 2007-11-30 23:26 15360 E6735D6E15457E06FEDE517051AF0D70 c:\windows\system32\ctfmon.exe

[-] 2007-11-30 23:26 57856 0DD64932B9A6394B53222B7FD294D12A c:\windows\system32\spoolsv.exe

[-] 2007-11-30 23:26 26112 813B2E9C4CAEA05FBA51A442FAB7A95D c:\windows\system32\userinit.exe

[-] 2007-11-30 23:26 295424 03178DA1A2B7C9B918E5062B2080D732 c:\windows\system32\termsrv.dll

[-] 2007-11-30 23:25 989696 64B3A42738CE5BFB1A4B96971521329A c:\windows\system32\kernel32.dll

[-] 2007-11-30 23:25 17408 CDD4433EDE84A9266363507111095B4E c:\windows\system32\powrprof.dll

[-] 2007-11-30 23:25 110080 934986D43BF2B0734E6BC33130CB163D c:\windows\system32\imm32.dll

[-] 2007-12-29 14:43 1613824 6EB0FCD71AAB8E5378321475AE8DB732 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-19_15.10.41 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-27 11:47 . 2009-04-27 11:47 16384 c:\windows\Temp\Perflib_Perfdata_4e0.dat
+ 2008-11-01 03:00 . 2004-08-04 11:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2007-11-30 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2007-11-30 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-11 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-13 148888]
"boincmgr"="c:\program files\BOINC\boincmgr.exe" [2009-03-30 4178688]
"boinctray"="c:\program files\BOINC\boinctray.exe" [2009-03-30 58112]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-10-07 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2007-12-29 123904]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, credssp.dll, msnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Guru\\Desktop\\utorrent.exe"=

R2 ekrn;Eset Service; [x]
R2 gupdate1c9a471a42bfa18;Google Update Service (gupdate1c9a471a42bfa18);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 133104]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-02-20 33800]


--- Other Services/Drivers In Memory ---

*Deregistered* - AFD
*Deregistered* - Arp1394
*Deregistered* - audstub
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - Cdfs
*Deregistered* - Dhcp
*Deregistered* - dmio
*Deregistered* - dmload
*Deregistered* - Dnscache
*Deregistered* - DwShield00002016
*Deregistered* - eamon
*Deregistered* - easdrv
*Deregistered* - epfwtdir
*Deregistered* - Fastfat
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - JavaQuickStarterService
*Deregistered* - KSecDD
*Deregistered* - LanmanServer
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - Mouclass
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - Ntfs
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PptpMiniport
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - seclogon
*Deregistered* - sr
*Deregistered* - Srv
*Deregistered* - swenum
*Deregistered* - Tcpip
*Deregistered* - TermDD
*Deregistered* - Themes
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - wuauserv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 13:38]

2009-04-16 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 06:53]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Guru\Application Data\Mozilla\Firefox\Profiles\nknx870v.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 08:58
Windows 5.1.2600 Service Pack 3, v.5657 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-28 8:59
ComboFix-quarantined-files.txt 2009-04-28 00:59
ComboFix2.txt 2009-04-25 04:45
ComboFix3.txt 2009-04-19 15:33
ComboFix4.txt 2009-04-19 15:11

Pre-Run: 72,678,588,416 bytes free
Post-Run: 72,677,175,296 bytes free

201 --- E O F --- 2008-12-25 18:00

[AdvancedSetup]

If your Operating System meets the requirements below you can try this.

NOTES:

• This is NOT for use by everyone and should ONLY be used by users that appear to have a CLEAN system but are still having issues installing MBAM.
  
• It should only be run on English Windows XP 32 Bit.
  
• If it does work and you can now scan with the program you should update and do a scan, then remove it and do an install with the normal PUBLISHED program from Malwarebytes.
  
• A copy of the Official 1.34 setup program should be included in the C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware folder named: mbam-setup.exe

[indent]Please download and run this alternative installer making sure you close all other applications as it will restart the computer when it's finished.
Download here: fixmbam.exe

Let me know how it works out please.[/indent]

[Jazza]

Same error when attempting to run 697734_MBAM i'm afraid...

Gotta goto work. I'll check back when I get home.

[AdvancedSetup]

Well at this point we're probably going to have to step it up a bit in terms of potential fixes, that can also potentially break things.

1. Do you have the original Windows XP CD to do repair/reinstall if needed?
2. Do you have all of your important data backed up to an external device and are sure its valid and can be restored if needed?
3. Are you willing to work on trying some fixes or would you rather consider just formatting and rebuilding the box?

[AdvancedSetup]

Please post an update

Thanks.

[AdvancedSetup]

Are you still with us? Please post a status update on this.

Thanks