2 replies to this topic

[johnhy]

I have a virus that is causing my computer to shutdown. After logging on a System Shutdown box appears stating among other things - "This system shutdown was initiated by NT AUTHORITY\SYSTEM" and "C:\windows32\services.exe". I am able to reboot and keep computer running but only in Safe Mode thus preventing any internet connection. I was able to download the AntiMalware (mbam-setup.exe) and HijackThis onto a removable disk drive from another computer and load onto desktop but neither will run on the infected computer. I was finally able to get Combo-Fix loaded onto the computer and was able to run and generate a log file. Hopefully, you can help me find a solution to this virus.
Here is the log:

ComboFix 09-09-14.02 - JHemmenw 09/15/2009 19:51.1.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.3334 [GMT -7:00]
Running from: E:\Combo-Fix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\dawot.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\All Users\Documents\hahed._dl
c:\documents and settings\All Users\Documents\qanawo.reg
c:\documents and settings\JHemmenw\Application Data\vudu.vbs
c:\documents and settings\JHemmenw\Application Data\zykefiry.bat
c:\documents and settings\JHemmenw\Cookies\dyxu.lib
c:\documents and settings\JHemmenw\Cookies\otufu.inf
c:\documents and settings\JHemmenw\Cookies\unazoty.pif
c:\documents and settings\JHemmenw\Cookies\ypadof._dl
c:\documents and settings\JHemmenw\Local Settings\Application Data\ehorutyzyw.dll
c:\documents and settings\JHemmenw\Local Settings\Application Data\kewela._sy
c:\documents and settings\JHemmenw\Local Settings\Temporary Internet Files\sihu.dl
c:\program files\Common Files\jysyzadud.exe
c:\program files\Common Files\mosogiva.sys
c:\program files\Common
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\program files\Windows Police Pro\tmp\dbsinit.exe
c:\program files\Windows Police Pro\tmp\images\i1.gif
c:\program files\Windows Police Pro\tmp\images\i2.gif
c:\program files\Windows Police Pro\tmp\images\i3.gif
c:\program files\Windows Police Pro\tmp\images\j1.gif
c:\program files\Windows Police Pro\tmp\images\j2.gif
c:\program files\Windows Police Pro\tmp\images\j3.gif
c:\program files\Windows Police Pro\tmp\images\jj1.gif
c:\program files\Windows Police Pro\tmp\images\jj2.gif
c:\program files\Windows Police Pro\tmp\images\jj3.gif
c:\program files\Windows Police Pro\tmp\images\l1.gif
c:\program files\Windows Police Pro\tmp\images\l2.gif
c:\program files\Windows Police Pro\tmp\images\l3.gif
c:\program files\Windows Police Pro\tmp\images\pix.gif
c:\program files\Windows Police Pro\tmp\images\t1.gif
c:\program files\Windows Police Pro\tmp\images\t2.gif
c:\program files\Windows Police Pro\tmp\images\up1.gif
c:\program files\Windows Police Pro\tmp\images\up2.gif
c:\program files\Windows Police Pro\tmp\images\w1.gif
c:\program files\Windows Police Pro\tmp\images\w11.gif
c:\program files\Windows Police Pro\tmp\images\w2.gif
c:\program files\Windows Police Pro\tmp\images\w3.gif
c:\program files\Windows Police Pro\tmp\images\w3.jpg
c:\program files\Windows Police Pro\tmp\images\wt1.gif
c:\program files\Windows Police Pro\tmp\images\wt2.gif
c:\program files\Windows Police Pro\tmp\images\wt3.gif
c:\program files\Windows Police Pro\tmp\wispex.html
c:\program files\Windows Police Pro\windows Police Pro.exe
C:\setup.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\3a291.msi
c:\windows\nogafevycy.sys
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\bennuar.old
c:\windows\system32\braviax.exe
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro
c:\windows\system32\config\systemprofile\Start Menu\Programs\Windows Antivirus Pro\Windows Antivirus Pro.lnk
c:\windows\system32\cru629.dat
c:\windows\system32\ddDEsot.dll
c:\windows\system32\desote.exe
c:\windows\system32\drivers\SKYNETdepxnlcv.sys
c:\windows\system32\icezepu.inf
c:\windows\system32\licemuxet.inf
c:\windows\system32\onhelp.htm
c:\windows\system32\qobuly.bin
c:\windows\system32\SKYNETckorrmid.dat
c:\windows\system32\SKYNETeogwboed.dll
c:\windows\system32\SKYNETiiysaajl.dll
c:\windows\system32\SKYNETsbpjwsou.dll
c:\windows\system32\SKYNETsiootsvy.dat
c:\windows\system32\sonhelp.htm
c:\windows\system32\sysnet.dat
c:\windows\system32\wisdstr.exe

----- BITS: Possible infected sites -----

hxxp://usewsus01.wlgore.com
c:\windows\system32\drivers\beep.sys . . . is infected!!

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SKYNETmtpppcvc
-------\Legacy_SKYNETmtpppcvc
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}


((((((((((((((((((((((((( Files Created from 2009-08-16 to 2009-09-16 )))))))))))))))))))))))))))))))
.

2009-09-16 02:13 . 2009-09-16 02:13 -------- d-----w- c:\program files\Trend Micro
2009-09-10 18:28 . 2009-09-10 18:28 -------- d-----w- c:\windows\system32\GroupPolicy\User\Scripts\Logoff\Logoff
2009-09-10 18:28 . 2009-09-10 18:28 -------- d-----w- c:\windows\system32\GroupPolicy\Machine\Scripts\Shutdown\Shutdown
2009-09-09 14:05 . 2009-09-09 14:05 163840 ----a-w- c:\windows\svchasts.exe
2009-09-09 13:56 . 2009-09-09 13:56 11166 ----a-w- c:\windows\system32\yhupyhohi.dat
2009-09-09 13:56 . 2009-09-09 13:56 17900 ----a-w- c:\program files\Common Files\witypule.dat
2009-09-08 20:04 . 2009-09-08 20:04 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-25 22:12 . 2009-08-25 22:12 57344 ----a-w- C:\clipstreamsa.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-16 02:02 . 2009-08-05 03:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 21:54 . 2009-08-05 03:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-08-05 03:59 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 18:28 . 2009-08-06 14:42 20008 ----a-w- c:\windows\system32\drivers\CDProbe.SYS
2009-09-09 22:57 . 2009-02-17 23:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-09 13:56 . 2009-09-09 13:56 14430 ----a-w- c:\program files\Common Files\usijejityp.lib
2009-09-09 13:56 . 2008-11-14 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\ATTToolbar
2009-09-04 18:11 . 2008-08-27 19:24 -------- d-----w- c:\program files\AT&T Global Network Client
2009-08-05 09:11 . 2004-08-05 00:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 03:59 . 2009-08-05 03:59 -------- d-----w- c:\documents and settings\JHemmenw\Application Data\Malwarebytes
2009-08-05 03:59 . 2009-08-05 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-29 04:53 . 2004-08-05 00:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-07-29 04:53 . 2004-08-05 00:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-17 18:55 . 2004-08-05 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 09:18 . 2004-08-05 00:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-26 15:59 . 2004-08-05 00:00 668160 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 15:59 . 2004-08-05 00:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2004-08-05 00:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2004-08-05 00:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2004-08-05 00:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2004-08-05 00:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2004-08-05 00:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2004-08-05 00:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2004-08-05 00:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2004-08-05 00:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2004-08-05 00:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2004-08-05 00:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2004-08-05 00:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2004-08-05 00:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2004-08-05 00:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2004-08-05 00:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2004-08-05 00:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2004-08-05 00:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2004-08-05 00:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2004-08-05 00:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-24 16:36 . 2008-08-27 19:18 85852 ----a-w- c:\windows\system32\nvModes.dat
2009-06-22 11:49 . 2004-08-05 00:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2004-08-05 00:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2004-08-05 00:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2004-08-05 00:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2004-08-05 00:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-22 10:39 . 2009-06-22 10:39 93 ----a-w- c:\windows\system32\SKYNET.dat
.

------- Sigcheck -------

[-] 2009-09-06 15:02 . AE15763F0C1122B40762AB538199C519 . 28672 . . [------] . . c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NetSP - restore settings on power failure"="c:\program files\AT&T Global Network Client\NetSP.exe" [2007-01-13 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGNS_Config"="nircmd execmd" [X]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"iPrint Tray"="c:\windows\system32\iprntctl.exe" [2007-05-07 40960]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2008-07-17 136512]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"Discovery User Input"="c:\discovery\User Input\userin32.exe" [2009-02-14 233472]
"iPrint Event Monitor"="c:\windows\system32\iprntlgn.exe" [2007-05-07 45056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"ISW.exe"="c:\program files\AT&T\Internet Security Wizard\ISW.exe" [2007-05-03 2061816]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-03 155648]
"NWTRAY"="NWTRAY.EXE" - c:\windows\system32\nwtray.exe [2002-03-12 28672]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-11-17 1626112]
"NVHotkey"="nvHotkey.dll" - c:\windows\system32\nvhotkey.dll [2007-11-17 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"2"="nircmd execmd" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Novell iFolder.lnk - c:\program files\Novell\iFolder\trayapp.exe [2006-11-7 266317]
Printer Status Monitor.lnk - c:\program files\SHARP\Printer Status Monitor\Smon.exe [2008-12-19 180313]
Printkey2000.lnk - c:\program files\PrintKey2000\Printkey2000.exe [2005-3-4 869376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"CompatibleRUPSecurity"= 1 (0x1)
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2007-07-20 458752]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2007-01-10 17:52 24576 ----a-w- c:\windows\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\System32\\DPMW32.EXE"=
"c:\\Program Files\\Novell\\ZENworks\\RemoteManagement\\RMAgent\\ZenRem32.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 NifFltr;NifFltr;c:\windows\system32\drivers\niffltr.sys [11/7/2006 11:19 AM 25300]
R0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys [1/1/1980 5:00 AM 17584]
S1 enstart_;enstart_;c:\windows\system32\enstart_.sys [8/27/2008 12:31 PM 25472]
S1 nipplpt2;Novell iCapture Lpt Redirector 2;c:\windows\system32\drivers\nipplpt.sys [3/4/2005 9:31 PM 34671]
S2 agnwifi;AT&T Wi-Fi Support Driver;c:\windows\system32\drivers\agnwifi.sys [4/29/2004 2:19 PM 19328]
S2 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\BCMWLNPF.SYS [8/27/2008 12:31 PM 33664]
S2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 12:47 PM 6899]
S2 enstart;enstart;c:\windows\system32\enstart.exe -s --> c:\windows\system32\enstart.exe -s [?]
S2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 8:59 AM 167936]
S2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [1/6/2006 2:37 AM 9176]
S2 XTAgent;Novell XTier Agent Services;c:\windows\system32\Novell\xtagent.exe [1/10/2007 10:52 AM 61440]
S3 agnfilt;AGN Filter Interface;c:\windows\system32\drivers\agnfilt.sys [5/19/2006 6:46 AM 180864]
S3 avpnnic;AGN Virtual Network Adapter;c:\windows\system32\drivers\avpnnic.sys [4/4/2003 9:48 AM 13952]
S3 CdProbe;CdProbe;c:\windows\system32\drivers\CDProbe.SYS [8/6/2009 7:42 AM 20008]
S3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [5/23/2005 12:11 PM 2773]
S3 vmmouse;VMware Pointing Device;c:\windows\system32\drivers\vmmouse.sys [3/23/2005 2:40 AM 11312]
S3 vmx_svga;vmx_svga;c:\windows\system32\drivers\vmx_svga.sys [1/1/1980 5:00 AM 22448]
S3 vmxnet;VMware Ethernet Adapter Driver;c:\windows\system32\drivers\vmxnet.sys [1/1/1980 5:00 AM 29232]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-08-05 c:\windows\Tasks\System Restore.job
- c:\windows\system32\Restore\rstrui.exe [2005-03-04 19:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyServer = 157.204.22.4:8080
uInternet Settings,ProxyOverride = *.wlgore.com;127.0.0.1;localhost;157.204.*;chipsndip;32.85.*;192.168.*;<local>
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-PS Printer Driver - c:\windows\ISUNINST.EXE -fc:\windows\usn0.isu
AddRemove-SHARP PS Display Font - c:\windows\ISUNINST.EXE -fc:\windows\ushsf.isu
AddRemove-Win Police Pro - c:\program files\Windows Police Pro\AntiSpyware_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-15 19:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-09-16 20:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-16 03:00

Pre-Run: 106,350,219,264 bytes free
Post-Run: 107,999,838,208 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
297 --- E O F --- 2009-08-29 02:02

[screen317]

Hi and welcome to Malwarebytes.

It is not safe to run ComboFix unless under the supervision of a trained analyst; failure to adhere to that may render your computer unbootable.


Please go to VirusTotal, and upload the following file for analysis:
c:\windows\system32\drivers\vmscsi.sys
c:\windows\system32\enstart_.sys


Post the results in your reply.


After that, delete your copy of ComboFix, grab a fresh copy from here, and save it to your Desktop. Run it and post its log.

After that, see if MBAM will install and run. If so, update it, run a Quick Scan, and post its log.

-screen317

[screen317]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!