81 replies to this topic

[Maurice Naggar]

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from
>>> here <<<

• Double-click FixPolicies.exe.
  
• Click the "Install" button on the bottom toolbar of the box that will open.
  
• The program will create a new Folder called FixPolicies.
  
• Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  
• A black box will briefly appear and then close.
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Next, a special run of win32kdiag
Go to Start > RUN and copy and paste the following command in the field:

%userprofile%\desktop\cleaning programs\win32kdiag.exe -f -r

Next, try running Combofix

[ghettogirll]

I did as you said but when I did the copy, paste and hit run it said "Windows cannot find 'C:\Documents'. Make sure yo typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

[Maurice Naggar]

Hello; it's been a good while since your last visit & update.

Go to Start > RUN and copy and paste the following command in the field:

C:\Documents and Settings\Owner\Desktop\cleaning programs\win32kdiag.exe -f -r

Next, try running Combofix

[ghettogirll]

Hi, actually I've been checking in, but did not realize the thread went to a second page (I'm a little slow sometimes lol) so I thought maybe u had been busy or something lol. Anyways, I tried the start, run paste and it keeps telling me "Windows cannot find 'C:\Documents'. Make sure yo typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search."

[Maurice Naggar]

Take a look at my reply that preceded this one. I recall you had told me you saved WIN32KDIAG on your desktop inside a folder named cleaning programs.

Double check that for us. If it is there, then the codebox I gave last time is good.

IF and only if, you have win32kdiag.exe somewhere else, then do a Start, then Run, then choose BROWSE
browse and navigate to where you have it. and then double click but hold off on pressing enter
Now go to the end of the text box
add after the exe a single space and
-F -R

If and only IF you have no luck, then re-download WIN32KDIAG and save it only to the DESKTOP
then RUN

win32kdiag.exe -f -r

[ghettogirll]

Ok, here is the log file from win32kdiag


Log file is located at: C:\Documents and Settings\Owner\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...



Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933566\KB933566

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB937143\KB937143

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\8HPW4CJRY6ELT18G\8HPW4CJRY6ELT18G

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\A3W_DATA\A3W_DATA

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\IEExecRemote

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP127.tmp\ZAP127.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1C.tmp\ZAP1C.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1E4.tmp\ZAP1E4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP1F.tmp\ZAP1F.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2C4.tmp\ZAP2C4.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2EA.tmp\ZAP2EA.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP392.tmp\ZAP392.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP415.tmp\ZAP415.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP4E.tmp\ZAP4E.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP54.tmp\ZAP54.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP661.tmp\ZAP661.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\CAVTemp\CAVTemp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\Setup\Backup\Backup

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ERDNT\FixIEDef\FixIEDef

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Fonts\data\data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\62287FAB00234BD4EB33D429A2978904\3.0.6920\3.0.6920

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\73b2c607\cd103b1d\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neodesk\9c6bd4b6\c7eed5e3\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neoedge.services.agent.webservices\0578d1b0\355e5723\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\neoedge.services.agent.webservices\1a4f6693\5c87f49d\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Minidump\Minidump

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\msdownld.tmp\msdownld.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\mui\mui

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe

[1] 2004-08-04 08:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\pchealth\helpctr\binaries\helpsvc.exe ()

[1] 2008-04-13 20:12:21 744448 C:\WINDOWS\ServicePackFiles\i386\helpsvc.exe (Microsoft Corporation)

[Maurice Naggar]

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

If and only if MBAM does not run, then let me know the details, but proceed forward with this next scan.

=
next, Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

• Accept the Terms of Use and press Start button;
  
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
  
• Enable (check) the Remove found threats option, and run the scan.
  
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad or Wordpad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://www.eset.com/...c4.php?page=faq
  
  
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
    
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=
RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of the MBAM scan log
and the Eset scan log

[ghettogirll]

Malwarebytes is still doing the same thing. It starts to run then shuts down. When I try to restart it, it says "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."

[Maurice Naggar]

Do this next procedure please

(With much thanks to Tetonbob at TSF, whose methods & verbiage I'm using here).

Download This tool save it directly to your desktop - not a folder on the desktop - the commands are tailored for the desktop location.

Click Start>Run and
Copy then Paste the following bolded text into the Run box and click OK:

"%userprofile%\desktop\Inherit.exe" "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe"


Repeat for these files, or simply find the files, and drag.drop them onto inherit.exe. Any other files you get an access denied message, you can do the same

"%userprofile%\desktop\Inherit.exe" "c:\WINDOWS\system32\wbem\wmiprvse.exe"


Then try MBAM. It should work now. In case it does not, proceed forward with the Eset online scan and remainder (as I outlined before).

[ghettogirll]

I did as u said and was able to start mbam again, but once it started it shut down again and did the same thing it did before. So, now I am going to try the Eset online scan.

[ghettogirll]

Here are the Eset results..(it said it found no viruses)


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=663b3fd357f9af4da7e79110bee4f311
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-09-16 06:22:30
# local_time=2009-09-16 02:22:30 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 7846855278816
# scanned=1419
# found=0
# cleaned=0
# scan_time=60

[Maurice Naggar]

Make very very sure you saved inherit.exe on the Desktop { and nowhere else and not in any folder }.
See and do the steps from my last immediate reply.

Next, Download GMER Rootkit Scanner from here or here. Unzip it to your Desktop.

========================================================

[indent]Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.[/indent]

========================================================

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  
• Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt".
  
• Save it where you can easily find it, such as your desktop.

Cofirm Inherit is on the desktop
and you have done those steps
AND
reply with copy of Gmer.txt

[ghettogirll]

Iherit is located on my desktop and I have done the outlined steps. Here is a copy of the Gmer log


GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-18 13:41:08
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfayypob.sys


---- System - GMER 1.0.15 ----

SSDT F8DD7636 ZwCreateKey
SSDT F8DD762C ZwCreateThread
SSDT F8DD763B ZwDeleteKey
SSDT F8DD7645 ZwDeleteValueKey
SSDT spfs.sys ZwEnumerateKey [0xF8673CA4]
SSDT spfs.sys ZwEnumerateValueKey [0xF8674032]
SSDT F8DD764A ZwLoadKey
SSDT spfs.sys ZwOpenKey [0xF86550C0]
SSDT F8DD7618 ZwOpenProcess
SSDT F8DD761D ZwOpenThread
SSDT spfs.sys ZwQueryKey [0xF867410A]
SSDT spfs.sys ZwQueryValueKey [0xF8673F8A]
SSDT F8DD7654 ZwReplaceKey
SSDT F8DD764F ZwRestoreKey
SSDT F8DD7640 ZwSetValueKey
SSDT F8DD7627 ZwTerminateProcess

INT 0x39 ? 83180BF8
INT 0x39 ? 83180BF8
INT 0x3E ? 8336FBF8
INT 0x3F ? 8336FBF8

---- Kernel code sections - GMER 1.0.15 ----

? spfs.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F75A48AC 5 Bytes JMP 831801D8
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[316] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 833712D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8686C4C] spfs.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8686CA0] spfs.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8656042] spfs.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F865613E] spfs.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86560C0] spfs.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8656800] spfs.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86566D6] spfs.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8665E9C] spfs.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 831802D8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8336E1F8
Device \FileSystem\Fastfat \FatCdrom 82BD8500
Device \Driver\usbuhci \Device\USBPDO-0 831F0500
Device \Driver\usbuhci \Device\USBPDO-1 831F0500
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [980] 0x35670000
Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1080] 0x35670000
Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1144] 0x35670000
Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1280] 0x35670000
Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x35670000
Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1444] 0x35670000
Library \\?\globalroot\Device\__max++>\4D0BD130.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1976] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x80 0x43 0x1A ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x80 0x43 0x1A ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

[Maurice Naggar]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not ghettogirll and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.


Download The Avenger by Swandog46 from here.

• Unzip/extract it to a folder on your desktop.
  
  
• Next, double-click on avenger.exe to start The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in between the **** stars lines **** below to the clibpboard by highlighting it and then pressing Ctrl+C.
  ********************************************************
  Files to delete:
  C:\WINDOWS\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
  C:\WINDOWS\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
  
  Drivers to delete:
  gaopdxserv
  gaopdxl
  gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  
  ********************************************************
  
• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=

Now, Logoff and restart Windows for a fresh start.

When that is finished, a new run of GMER

========================================================

[indent]Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.[/indent]

========================================================

Double-click gmer.exe.

The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop.

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=
Reply with copy of C:\Avenger.txt
and the new Gmer.txt log
and the MBAM scan log

[ghettogirll]

Here are the log files you requested, although I ran both Avenger and Gmer, I am still unable to run malwarebytes.

Avenger log file

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll" not found!
Deletion of file "C:\WINDOWS\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!
Deletion of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxl" not found!
Deletion of driver "gaopdxl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys" not found!
Deletion of driver "gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "e:\recycler"
Deletion of folder "e:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.


Gmer log file

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-19 02:00:38
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfayypob.sys


---- System - GMER 1.0.15 ----

SSDT F8E7DAAE ZwCreateKey
SSDT F8E7DAA4 ZwCreateThread
SSDT F8E7DAB3 ZwDeleteKey
SSDT F8E7DABD ZwDeleteValueKey
SSDT sprq.sys ZwEnumerateKey [0xF8673CA4]
SSDT sprq.sys ZwEnumerateValueKey [0xF8674032]
SSDT F8E7DAC2 ZwLoadKey
SSDT sprq.sys ZwOpenKey [0xF86550C0]
SSDT F8E7DA90 ZwOpenProcess
SSDT F8E7DA95 ZwOpenThread
SSDT sprq.sys ZwQueryKey [0xF867410A]
SSDT sprq.sys ZwQueryValueKey [0xF8673F8A]
SSDT F8E7DACC ZwReplaceKey
SSDT F8E7DAC7 ZwRestoreKey
SSDT F8E7DAB8 ZwSetValueKey
SSDT F8E7DA9F ZwTerminateProcess

INT 0x39 ? 831BDF00
INT 0x39 ? 831BDF00
INT 0x3E ? 833DEBF8
INT 0x3F ? 833DEBF8

---- Kernel code sections - GMER 1.0.15 ----

? vrcjpyrd.sys The system cannot find the file specified. !
? sprq.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload F75CA8AC 5 Bytes JMP 831BD4E0
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[536] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 833E02D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8686C4C] sprq.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8686CA0] sprq.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8656042] sprq.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F865613E] sprq.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86560C0] sprq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8656800] sprq.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86566D6] sprq.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8665E9C] sprq.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 831BD5E0

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 833DD1F8
Device \FileSystem\Fastfat \FatCdrom 82E4C500
Device \Driver\usbuhci \Device\USBPDO-0 831B81F8
Device \Driver\usbuhci \Device\USBPDO-1 831B81F8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [220] 0x35670000
Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [980] 0x35670000
Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1080] 0x35670000
Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1140] 0x35670000
Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1320] 0x35670000
Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1448] 0x35670000
Library \\?\globalroot\Device\__max++>\7E1A1650.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1596] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet004\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
Reg HKLM\SYSTEM\ControlSet005\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x80 0x43 0x1A ...
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8E 0x80 0x43 0x1A ...
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

[Maurice Naggar]

This system has very serious rootkits, one of which is an MBR rootkit.

It is highly likely hackers remotely control your computer, steal critical system information and download and execute files.

I would urge you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of infection, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We could attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

[ghettogirll]

Wow, I'm glad you told me that...I do banking and pay my bills online so I guess I better stop. Thanks sooo much. I would like to attempt to at least try to clean it. I do plan on getting a new pc soon, but in the meantime I need this one. I will however, not do anymore banking or anything on it. Thanks sooo much for all of your help.

[Maurice Naggar]

If you will stay and hang with me for the next few hours, I'd do what I can to "attempt" to remove the rootkits.
There will be lots more work and checkups later !

You already have Avenger and Gmer and MBAM. We will use them as is. Keep pc disconnected from internet and only connect when absolutely necessary ---- unless you have a clean pc to work with where you are.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not ghettogirll and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

• Double-click on avenger.exe to start The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in between the **** stars lines **** below to the clibpboard by highlighting it and then pressing Ctrl+C.
  ********************************************************
  Drivers to disable:
  gaopdxserv
  gaopdxl
  gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm
  
  Drivers to delete:
  gaopdxserv
  gaopdxl
  gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm
  
  Files to delete:
  C:\WINDOWS\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys
  C:\WINDOWS\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll
  C:\7E1A1650.x86.dll
  C:\Windows\system32\7E1A1650.x86.dll
  C:\4D0BD130.x86.dll
  C:\Windows\system32\4D0BD130.x86.dll
  
  Registry keys to delete:
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gaopdxserv.sys
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\gaopdxserv.sys
  
  Folders to delete:
  C:\recycler
  D:\recycler
  e:\recycler
  f:\recycler
  g:\recycler
  h:\recycler
  
  ********************************************************
  
• In the avenger window, click the Paste Script from Clipboard icon, button.
  
• ! Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

=

Now, Logoff and restart Windows for a fresh start.

When that is finished, a new run of GMER

========================================================

[indent]Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.[/indent]

========================================================

Double-click gmer.exe.

The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised by a trained Security Analyst

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

• Click Yes.
  
• Once the scan is complete, you may receive another notice about rootkit activity.
  
• Click OK.
  
• GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop.

If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.

• Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop.

Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=
Reply with copy of C:\Avenger.txt
and the new Gmer.txt log
and the MBAM scan log

[ghettogirll]

Here is the Avenger log...I was not connected to the internet when I ran these....

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: could not open driver "gaopdxserv"
Disablement of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "gaopdxl"
Disablement of driver "gaopdxl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open driver "gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm"
Disablement of driver "gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!
Deletion of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxl" not found!
Deletion of driver "gaopdxl" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm" not found!
Deletion of driver "gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gaopdxdorqqgkolwhxvmplhbostjkylkiqqlxm.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll" not found!
Deletion of file "C:\WINDOWS\system32\gaopdxuppufuirvokclrwtjeuyavbufprqxptb.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\7E1A1650.x86.dll" not found!
Deletion of file "C:\7E1A1650.x86.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\7E1A1650.x86.dll" not found!
Deletion of file "C:\Windows\system32\7E1A1650.x86.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\4D0BD130.x86.dll" not found!
Deletion of file "C:\4D0BD130.x86.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\system32\4D0BD130.x86.dll" not found!
Deletion of file "C:\Windows\system32\4D0BD130.x86.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\gaopdxserv.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\gaopdxserv.sys" deleted successfully.
Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\gaopdxserv.sys" deleted successfully.
Folder "C:\recycler" deleted successfully.

Error: could not open folder "D:\recycler"
Deletion of folder "D:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "e:\recycler"
Deletion of folder "e:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "f:\recycler"
Deletion of folder "f:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "g:\recycler"
Deletion of folder "g:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "h:\recycler"
Deletion of folder "h:\recycler" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Completed script processing.

*******************

Finished! Terminate.



Here is the Gmer log.....



GMER 1.0.15.15087 - http://www.gmer.net
Rootkit quick scan 2009-09-20 03:30:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kfayypob.sys


---- System - GMER 1.0.15 ----

SSDT sppx.sys ZwEnumerateKey [0xF8673CA4]
SSDT sppx.sys ZwEnumerateValueKey [0xF8674032]

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xF38904EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xF3890498]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xF38904AC]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xF389059B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF38905C7]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF389052A]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xF3890661]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xF3890470]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xF3890484]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xF38904FE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xF3890609]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xF38905B1]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xF3890689]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xF3890675]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xF38904D6]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xF38904C2]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF3890559]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xF389064B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF3890540]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xF3890514]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8336E1F8

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)

Device \FileSystem\Fastfat \Fat 82E28500

AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.15 ----



I still cannot run Mbam.

[Maurice Naggar]

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop and SAVE it as cf.bat.

Link 1
Link 2
Link 3


* IMPORTANT !!! SAVE AS CF.BAT to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  After it is saved, disconnect the pc from internet by unplugging the cable connection to the internet.
  
  
  
• Double click on CF.BAT & follow the prompts.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Reconnect to the internet.

Reply with copy of the C:\Combofix.txt