21 replies to this topic

[FlashG]

YoKenny sent me here from the Avast forum
This explains what I have done so far 4.8 home won't scan

I also have the HijacThis log if you need it.

Thanks

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/03 19:24
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 1394BUS.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\1394BUS.SYS
Address: 0xF7617000 Size: 57344 File Visible: - Signed: -
Status: -

Name: ACPI.sys
Image Path: ACPI.sys
Address: 0xF75A8000 Size: 187776 File Visible: - Signed: -
Status: -

Name: ACPI_HAL
Image Path: \Driver\ACPI_HAL
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: afd.sys
Image Path: E:\WINDOWS\System32\drivers\afd.sys
Address: 0xBAA49000 Size: 138496 File Visible: - Signed: -
Status: -

Name: AnyDVD.sys
Image Path: E:\WINDOWS\System32\Drivers\AnyDVD.sys
Address: 0xBAF74000 Size: 97408 File Visible: - Signed: -
Status: -

Name: aswTdi.SYS
Image Path: E:\WINDOWS\System32\Drivers\aswTdi.SYS
Address: 0xF74F7000 Size: 42592 File Visible: - Signed: -
Status: -

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF749A000 Size: 96512 File Visible: - Signed: -
Status: -

Name: ATMFD.DLL
Image Path: E:\WINDOWS\System32\ATMFD.DLL
Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: -
Status: -

Name: Beep.SYS
Image Path: E:\WINDOWS\System32\Drivers\Beep.SYS
Address: 0xF79A9000 Size: 4224 File Visible: - Signed: -
Status: -

Name: BOOTVID.dll
Image Path: E:\WINDOWS\system32\BOOTVID.dll
Address: 0xF7897000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Cdfs.SYS
Image Path: E:\WINDOWS\System32\Drivers\Cdfs.SYS
Address: 0xBAEC9000 Size: 63744 File Visible: - Signed: -
Status: -

Name: cdrom.sys
Image Path: E:\WINDOWS\system32\DRIVERS\cdrom.sys
Address: 0xF76A7000 Size: 62976 File Visible: - Signed: -
Status: -

Name: CLASSPNP.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Address: 0xF7657000 Size: 53248 File Visible: - Signed: -
Status: -

Name: disk.sys
Image Path: disk.sys
Address: 0xF7647000 Size: 36352 File Visible: - Signed: -
Status: -

Name: dmio.sys
Image Path: dmio.sys
Address: 0xF74B2000 Size: 153344 File Visible: - Signed: -
Status: -

Name: dmload.sys
Image Path: dmload.sys
Address: 0xF798B000 Size: 5888 File Visible: - Signed: -
Status: -

Name: dump_nvata.sys
Image Path: E:\WINDOWS\System32\Drivers\dump_nvata.sys
Address: 0xBA96D000 Size: 102400 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: E:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79DB000 Size: 8192 File Visible: No Signed: -
Status: -

Name: Dxapi.sys
Image Path: E:\WINDOWS\System32\drivers\Dxapi.sys
Address: 0xBAC2C000 Size: 12288 File Visible: - Signed: -
Status: -

Name: dxg.sys
Image Path: E:\WINDOWS\System32\drivers\dxg.sys
Address: 0xBF9C3000 Size: 73728 File Visible: - Signed: -
Status: -

Name: dxgthk.sys
Image Path: E:\WINDOWS\System32\drivers\dxgthk.sys
Address: 0xF7A62000 Size: 4096 File Visible: - Signed: -
Status: -

Name: eacfilt.sys
Image Path: E:\WINDOWS\system32\DRIVERS\eacfilt.sys
Address: 0xF7817000 Size: 23200 File Visible: - Signed: -
Status: -

Name: Fastfat.SYS
Image Path: E:\WINDOWS\System32\Drivers\Fastfat.SYS
Address: 0xBA111000 Size: 143744 File Visible: - Signed: -
Status: -

Name: fdc.sys
Image Path: E:\WINDOWS\system32\DRIVERS\fdc.sys
Address: 0xF77E7000 Size: 27392 File Visible: - Signed: -
Status: -

Name: flpydisk.sys
Image Path: E:\WINDOWS\system32\DRIVERS\flpydisk.sys
Address: 0xBACF2000 Size: 20480 File Visible: - Signed: -
Status: -

Name: fltmgr.sys
Image Path: fltmgr.sys
Address: 0xF7461000 Size: 129792 File Visible: - Signed: -
Status: -

Name: framebuf.dll
Image Path: E:\WINDOWS\System32\framebuf.dll
Address: 0xBFF50000 Size: 12288 File Visible: - Signed: -
Status: -

Name: Fs_Rec.SYS
Image Path: E:\WINDOWS\System32\Drivers\Fs_Rec.SYS
Address: 0xF79A5000 Size: 7936 File Visible: - Signed: -
Status: -

Name: ftdisk.sys
Image Path: ftdisk.sys
Address: 0xF74D8000 Size: 125056 File Visible: - Signed: -
Status: -

Name: hal.dll
Image Path: E:\WINDOWS\system32\hal.dll
Address: 0x806EE000 Size: 131840 File Visible: - Signed: -
Status: -

Name: HDAudBus.sys
Image Path: E:\WINDOWS\system32\DRIVERS\HDAudBus.sys
Address: 0xBAF29000 Size: 163840 File Visible: - Signed: -
Status: -

Name: HIDCLASS.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS
Address: 0xF743F000 Size: 36864 File Visible: - Signed: -
Status: -

Name: HIDPARSE.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS
Address: 0xF7787000 Size: 28672 File Visible: - Signed: -
Status: -

Name: hidusb.sys
Image Path: E:\WINDOWS\system32\DRIVERS\hidusb.sys
Address: 0xBAD0E000 Size: 10368 File Visible: - Signed: -
Status: -

Name: imapi.sys
Image Path: E:\WINDOWS\system32\DRIVERS\imapi.sys
Address: 0xF7697000 Size: 42112 File Visible: - Signed: -
Status: -

Name: InCDPass.sys
Image Path: E:\WINDOWS\System32\DRIVERS\InCDPass.sys
Address: 0xF77B7000 Size: 29696 File Visible: - Signed: -
Status: -

Name: incdrm.SYS
Image Path: E:\WINDOWS\System32\Drivers\incdrm.SYS
Address: 0xF77C7000 Size: 28160 File Visible: - Signed: -
Status: -

Name: ipnat.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ipnat.sys
Address: 0xBAA93000 Size: 152832 File Visible: - Signed: -
Status: -

Name: ipsec.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ipsec.sys
Address: 0xBAB12000 Size: 75264 File Visible: - Signed: -
Status: -

Name: ipsecw2k.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
Address: 0xBAD52000 Size: 149184 File Visible: - Signed: -
Status: -

Name: isapnp.sys
Image Path: isapnp.sys
Address: 0xF75F7000 Size: 37248 File Visible: - Signed: -
Status: -

Name: kbdclass.sys
Image Path: E:\WINDOWS\system32\DRIVERS\kbdclass.sys
Address: 0xF77D7000 Size: 24576 File Visible: - Signed: -
Status: -

Name: kbdhid.sys
Image Path: E:\WINDOWS\system32\DRIVERS\kbdhid.sys
Address: 0xBAD06000 Size: 14592 File Visible: - Signed: -
Status: -

Name: KDCOM.DLL
Image Path: E:\WINDOWS\system32\KDCOM.DLL
Address: 0xF7987000 Size: 8192 File Visible: - Signed: -
Status: -

Name: ks.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ks.sys
Address: 0xBAF51000 Size: 143360 File Visible: - Signed: -
Status: -

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7860000 Size: 92928 File Visible: - Signed: -
Status: -

Name: mouclass.sys
Image Path: E:\WINDOWS\system32\DRIVERS\mouclass.sys
Address: 0xF77FF000 Size: 23040 File Visible: - Signed: -
Status: -

Name: mouhid.sys
Image Path: E:\WINDOWS\system32\DRIVERS\mouhid.sys
Address: 0xBAC30000 Size: 12160 File Visible: - Signed: -
Status: -

Name: MountMgr.sys
Image Path: MountMgr.sys
Address: 0xF7627000 Size: 42368 File Visible: - Signed: -
Status: -

Name: mrxsmb.sys
Image Path: E:\WINDOWS\system32\DRIVERS\mrxsmb.sys
Address: 0xBA9AE000 Size: 455296 File Visible: - Signed: -
Status: -

Name: Msfs.SYS
Image Path: E:\WINDOWS\System32\Drivers\Msfs.SYS
Address: 0xF781F000 Size: 19072 File Visible: - Signed: -
Status: -

Name: msgpc.sys
Image Path: E:\WINDOWS\system32\DRIVERS\msgpc.sys
Address: 0xF7577000 Size: 35072 File Visible: - Signed: -
Status: -

Name: mssmbios.sys
Image Path: E:\WINDOWS\system32\DRIVERS\mssmbios.sys
Address: 0xBAFE8000 Size: 15488 File Visible: - Signed: -
Status: -

Name: Mup.sys
Image Path: Mup.sys
Address: 0xF796D000 Size: 105344 File Visible: - Signed: -
Status: -

Name: NDIS.sys
Image Path: NDIS.sys
Address: 0xF7833000 Size: 182656 File Visible: - Signed: -
Status: -

Name: ndistapi.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ndistapi.sys
Address: 0xF793F000 Size: 10112 File Visible: - Signed: -
Status: -

Name: ndisuio.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ndisuio.sys
Address: 0xBA3C1000 Size: 14592 File Visible: - Signed: -
Status: -

Name: ndiswan.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ndiswan.sys
Address: 0xBAD88000 Size: 91520 File Visible: - Signed: -
Status: -

Name: NDProxy.SYS
Image Path: E:\WINDOWS\System32\Drivers\NDProxy.SYS
Address: 0xF7547000 Size: 40576 File Visible: - Signed: -
Status: -

Name: netbios.sys
Image Path: E:\WINDOWS\system32\DRIVERS\netbios.sys
Address: 0xF742F000 Size: 34688 File Visible: - Signed: -
Status: -

Name: netbt.sys
Image Path: E:\WINDOWS\system32\DRIVERS\netbt.sys
Address: 0xBAA6B000 Size: 162816 File Visible: - Signed: -
Status: -

Name: Npfs.SYS
Image Path: E:\WINDOWS\System32\Drivers\Npfs.SYS
Address: 0xF773F000 Size: 30848 File Visible: - Signed: -
Status: -

Name: Ntfs.sys
Image Path: Ntfs.sys
Address: 0xF7B52000 Size: 574976 File Visible: - Signed: -
Status: -

Name: ntoskrnl.exe
Image Path: E:\WINDOWS\system32\ntoskrnl.exe
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: Null.SYS
Image Path: E:\WINDOWS\System32\Drivers\Null.SYS
Address: 0xF7AAD000 Size: 2944 File Visible: - Signed: -
Status: -

Name: nvata.sys
Image Path: nvata.sys
Address: 0xF7481000 Size: 98432 File Visible: - Signed: -
Status: -

Name: NVENETFD.sys
Image Path: E:\WINDOWS\system32\DRIVERS\NVENETFD.sys
Address: 0xF7537000 Size: 54784 File Visible: - Signed: -
Status: -

Name: nvnetbus.sys
Image Path: E:\WINDOWS\system32\DRIVERS\nvnetbus.sys
Address: 0xF76C7000 Size: 40960 File Visible: - Signed: -
Status: -

Name: NVNRM.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\NVNRM.SYS
Address: 0xBAD9F000 Size: 958464 File Visible: - Signed: -
Status: -

Name: ohci1394.sys
Image Path: ohci1394.sys
Address: 0xF7607000 Size: 61696 File Visible: - Signed: -
Status: -

Name: PartMgr.sys
Image Path: PartMgr.sys
Address: 0xF770F000 Size: 19712 File Visible: - Signed: -
Status: -

Name: pci.sys
Image Path: pci.sys
Address: 0xF7597000 Size: 68224 File Visible: - Signed: -
Status: -

Name: pciide.sys
Image Path: pciide.sys
Address: 0xF7A4F000 Size: 3328 File Visible: - Signed: -
Status: -

Name: PCIIDEX.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Address: 0xF7707000 Size: 28672 File Visible: - Signed: -
Status: -

Name: PnpManager
Image Path: \Driver\PnpManager
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: point32.sys
Image Path: E:\WINDOWS\system32\DRIVERS\point32.sys
Address: 0xBACBA000 Size: 21760 File Visible: - Signed: -
Status: -

Name: psched.sys
Image Path: E:\WINDOWS\system32\DRIVERS\psched.sys
Address: 0xBAD77000 Size: 69120 File Visible: - Signed: -
Status: -

Name: ptilink.sys
Image Path: E:\WINDOWS\system32\DRIVERS\ptilink.sys
Address: 0xF77EF000 Size: 17792 File Visible: - Signed: -
Status: -

Name: PxHelp20.sys
Image Path: PxHelp20.sys
Address: 0xF7667000 Size: 35712 File Visible: - Signed: -
Status: -

Name: rasacd.sys
Image Path: E:\WINDOWS\system32\DRIVERS\rasacd.sys
Address: 0xBAD1A000 Size: 8832 File Visible: - Signed: -
Status: -

Name: rasirda.sys
Image Path: E:\WINDOWS\system32\DRIVERS\rasirda.sys
Address: 0xF7767000 Size: 19584 File Visible: - Signed: -
Status: -

Name: rasl2tp.sys
Image Path: E:\WINDOWS\system32\DRIVERS\rasl2tp.sys
Address: 0xF76E7000 Size: 51328 File Visible: - Signed: -
Status: -

Name: raspppoe.sys
Image Path: E:\WINDOWS\system32\DRIVERS\raspppoe.sys
Address: 0xF76F7000 Size: 41472 File Visible: - Signed: -
Status: -

Name: raspptp.sys
Image Path: E:\WINDOWS\system32\DRIVERS\raspptp.sys
Address: 0xF7587000 Size: 48384 File Visible: - Signed: -
Status: -

Name: raspti.sys
Image Path: E:\WINDOWS\system32\DRIVERS\raspti.sys
Address: 0xF7807000 Size: 16512 File Visible: - Signed: -
Status: -

Name: RAW
Image Path: \FileSystem\RAW
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

Name: rdbss.sys
Image Path: E:\WINDOWS\system32\DRIVERS\rdbss.sys
Address: 0xBAA1E000 Size: 175744 File Visible: - Signed: -
Status: -

Name: RDPCDD.sys
Image Path: E:\WINDOWS\System32\DRIVERS\RDPCDD.sys
Address: 0xF79AD000 Size: 4224 File Visible: - Signed: -
Status: -

Name: rdpdr.sys
Image Path: E:\WINDOWS\system32\DRIVERS\rdpdr.sys
Address: 0xBAD22000 Size: 196224 File Visible: - Signed: -
Status: -

Name: redbook.sys
Image Path: E:\WINDOWS\system32\DRIVERS\redbook.sys
Address: 0xF76B7000 Size: 57600 File Visible: - Signed: -
Status: -

Name: rootrepeal.sys
Image Path: E:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA2C5000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sr.sys
Image Path: sr.sys
Address: 0xF744F000 Size: 73472 File Visible: - Signed: -
Status: -

Name: srv.sys
Image Path: E:\WINDOWS\system32\DRIVERS\srv.sys
Address: 0xBA06F000 Size: 333952 File Visible: - Signed: -
Status: -

Name: swenum.sys
Image Path: E:\WINDOWS\system32\DRIVERS\swenum.sys
Address: 0xF7997000 Size: 4352 File Visible: - Signed: -
Status: -

Name: tcpip.sys
Image Path: E:\WINDOWS\system32\DRIVERS\tcpip.sys
Address: 0xBAAB9000 Size: 361600 File Visible: - Signed: -
Status: -

Name: TDI.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\TDI.SYS
Address: 0xF7777000 Size: 20480 File Visible: - Signed: -
Status: -

Name: termdd.sys
Image Path: E:\WINDOWS\system32\DRIVERS\termdd.sys
Address: 0xF7567000 Size: 40704 File Visible: - Signed: -
Status: -

Name: update.sys
Image Path: E:\WINDOWS\system32\DRIVERS\update.sys
Address: 0xBAC4C000 Size: 384768 File Visible: - Signed: -
Status: -

Name: usbccgp.sys
Image Path: E:\WINDOWS\system32\DRIVERS\usbccgp.sys
Address: 0xF774F000 Size: 32128 File Visible: - Signed: -
Status: -

Name: USBD.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\USBD.SYS
Address: 0xF799B000 Size: 8192 File Visible: - Signed: -
Status: -

Name: usbehci.sys
Image Path: E:\WINDOWS\system32\DRIVERS\usbehci.sys
Address: 0xF772F000 Size: 30208 File Visible: - Signed: -
Status: -

Name: usbhub.sys
Image Path: E:\WINDOWS\system32\DRIVERS\usbhub.sys
Address: 0xF7557000 Size: 59520 File Visible: - Signed: -
Status: -

Name: usbohci.sys
Image Path: E:\WINDOWS\system32\DRIVERS\usbohci.sys
Address: 0xF77F7000 Size: 17152 File Visible: - Signed: -
Status: -

Name: USBPORT.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\USBPORT.SYS
Address: 0xBAF8C000 Size: 147456 File Visible: - Signed: -
Status: -

Name: vga.sys
Image Path: E:\WINDOWS\System32\drivers\vga.sys
Address: 0xBACD2000 Size: 20992 File Visible: - Signed: -
Status: -

Name: VIDEOPRT.SYS
Image Path: E:\WINDOWS\System32\drivers\VIDEOPRT.SYS
Address: 0xBAB66000 Size: 81920 File Visible: - Signed: -
Status: -

Name: VMNetSrv.sys
Image Path: E:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
Address: 0xF76D7000 Size: 61440 File Visible: - Signed: -
Status: -

Name: VolSnap.sys
Image Path: VolSnap.sys
Address: 0xF7637000 Size: 52352 File Visible: - Signed: -
Status: -

Name: watchdog.sys
Image Path: E:\WINDOWS\System32\watchdog.sys
Address: 0xF776F000 Size: 20480 File Visible: - Signed: -
Status: -

Name: Win32k
Image Path: \Driver\Win32k
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys
Image Path: E:\WINDOWS\System32\win32k.sys
Address: 0xBF800000 Size: 1847296 File Visible: - Signed: -
Status: -

Name: win32k.sys:1
Image Path: E:\WINDOWS\win32k.sys:1
Address: 0xBA51D000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: E:\WINDOWS\win32k.sys:2
Address: 0xF7887000 Size: 61440 File Visible: No Signed: -
Status: -

Name: WMILIB.SYS
Image Path: E:\WINDOWS\system32\DRIVERS\WMILIB.SYS
Address: 0xF7989000 Size: 8192 File Visible: - Signed: -
Status: -

Name: WMIxWDM
Image Path: \Driver\WMIxWDM
Address: 0x804D7000 Size: 2189056 File Visible: - Signed: -
Status: -

[screen317]

Hi and welcome to Malwarebytes.

Please update MBAM, run a Quick Scan, and post its log.


After that, please visit this webpage for instructions for running ComboFix:
http://www.bleepingc...to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

[FlashG]

Hi, Maybe I should have started from he beginning. Malwarebytes and most of the other repair programs like Avast, Spybot S&D and windows update will not run (in windows or safe mode).

However I did get root repeal to run but I don't know which .sys file to disable. I understantd that after I disable the correct file I can then run malwarebytes.

That being said I will now follow your direction and run combo fix and report back the findings.

[FlashG]

I am replying from another PC because combofix is on it's 10th reboot and counting.
It keeps finding the same rootkit activity files and reboots.
E:\windows\system32\drivers\gasfkytxyumndx.sys
E:\windows\system32\gasfkyxoflnwsn.dll
E:\windows\system32\gasfkytjuprwic.dat
E:\windows\system32\gasfkyaqysqegh.dll
E:\windows\system32\gasfkyvkdubcrx.dat
E:\windows\system32\gasfkyydapwoon.dll


I had to initially install Microsoft Recovery and on the 10th reboot I tried to boot to it and it reported.
Windows could not start because the following file is missing or corrupt.
<windows root> system32\hal.dll
Please re-install a copy of the above file.

Should I just let combofix run?
Thanks

[FlashG]

BTW, I haven't seen an Auto Scan window that shows "Completed Stage_x" or a "Log Report window". All my machine does is run ConboFix, list the same 6 files and reboot (in windows and safe mode).

I never could run malwarebytes, (renamed in windows or safe mode) like I said on my title.

I sincerely hope my O.S. isn't toast.

[screen317]

Sit tight. I'll be back with your as soon as possible.

Do you have your Windows XP CD?

[FlashG]

I managed to stop combofix from constantly rebooting and run malwarebytes to run in safe mode. I also re-ran HijacThis and ISeeYourXP. Let me know if you want them. I'm deathly afraid to run ComboFix again unless you want me to.

-----------------

Malwarebytes' Anti-Malware 1.41
Database version: 2907
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/4/2009 10:12:09 PM
mbam-log-2009-10-04 (22-12-03).txt

Scan type: Quick Scan
Objects scanned: 112573
Time elapsed: 6 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{9d3cf193-58e5-40d5-ba60-233f4c216e37} (Rogue.MalwareRemovalBot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1f26a7a704abd8f4f8801f37167d691f (Rogue.MalwareBot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\93de74a43267cfb4ca586db6f1f79964 (Rogue.MalwareBot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\aa02c0f5889834c42886c1a98ea53266 (Rogue.MalwareBot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\b575e3c1288dd9e4a83e9e064562cdc1 (Rogue.MalwareBot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\d37f1f5d110c2ea4c85ec64e702394b9 (Rogue.MalwareBot) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\poprock (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gasfkyeulxjnup (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\e:\program files\malwareremovalbot\(default) (Rogue.MalwareRemovalBot) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tftp.nfo beforegllav) Good: (Explorer.exe) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> No action taken.
E:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
E:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
E:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job (Rogue.MalwareRemovalBot) -> No action taken.
E:\WINDOWS\win32k.sys (Trojan.Dropper) -> No action taken.

[FlashG]

I decided to give you the HijacThis log. The ISeeYouXP is quite large 776 KB.

-------------------------------
Logfile of HijackThis v1.97.7
Scan saved at 10:31:53 PM, on 10/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Documents and Settings\Ed\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.bls.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F0 - system.ini: Shell=Explorer.exe rundll32.exe tftp.nfo beforegllav
F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tftp.nfo beforegllav
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - E:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - E:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - E:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - E:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - E:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - E:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [itype] "E:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [nmctxth] "E:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] E:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "E:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] E:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International
O15 - Trusted Zone: http://www.unitedmedia.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shock...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ntent/opuc3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152884808703
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153692684828
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} (Java Plug-in 1.6.0_12) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -

[FlashG]

Yes I have my Windows XP CD

[FlashG]

Well I grabbed some guts and managed to get a malwarebytes log in safemode. Even though I disabled avast in windows apparently it was running in safemode. I hope noting got messed up.

---------------------------
ComboFix 09-10-04.01 - Ed 10/04/2009 23:19.1.1 - NTFSx86 NETWORK
Running from: e:\documents and settings\Ed\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091004-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
ADS - WINDOWS: deleted 48 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

e:\program files\Common
e:\windows\system32\drivers\gasfkytxyumndx.sys
e:\windows\system32\gasfkyaqysqegh.dll
e:\windows\system32\gasfkytjuprwic.dat
e:\windows\system32\gasfkyvkdubcrx.dat
e:\windows\system32\gasfkyxoflnwsn.dll
e:\windows\system32\gasfkyydapwoon.dll
e:\windows\system32\wl.exe
e:\windows\wpd99.drv

Infected copy of e:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - e:\windows\system32\dllcache\eventlog.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkyeulxjnup
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkyeulxjnup


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-05 02:04 . 2009-09-10 18:54 38224 ----a-w- e:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 02:04 . 2009-09-10 18:53 19160 ----a-w- e:\windows\system32\drivers\mbam.sys
2009-10-03 12:55 . 2009-09-15 10:54 52368 ----a-w- e:\windows\system32\drivers\aswTdi.sys
2009-10-03 12:55 . 2009-09-15 10:54 23152 ----a-w- e:\windows\system32\drivers\aswRdr.sys
2009-10-03 12:55 . 2009-09-15 10:53 27408 ----a-w- e:\windows\system32\drivers\aavmker4.sys
2009-10-03 12:55 . 2009-09-15 10:53 97480 ----a-w- e:\windows\system32\AvastSS.scr
2009-10-03 12:55 . 2009-09-15 10:56 93424 ----a-w- e:\windows\system32\drivers\aswmon.sys
2009-10-03 12:55 . 2009-09-15 10:56 94160 ----a-w- e:\windows\system32\drivers\aswmon2.sys
2009-10-03 12:55 . 2009-09-15 10:55 114768 ----a-w- e:\windows\system32\drivers\aswSP.sys
2009-10-03 12:55 . 2009-09-15 10:55 20560 ----a-w- e:\windows\system32\drivers\aswFsBlk.sys
2009-10-03 12:55 . 2009-09-15 10:59 1279968 ----a-w- e:\windows\system32\aswBoot.exe
2009-10-03 12:55 . 2009-10-03 12:55 -------- d-----w- e:\program files\Alwil Software
2009-10-01 15:58 . 2009-10-01 15:58 -------- d-----w- e:\documents and settings\Ed\Application Data\Malwarebytes
2009-10-01 15:58 . 2009-10-05 02:12 -------- d-----w- e:\program files\Malwarebytes' Anti-Malware
2009-10-01 15:58 . 2009-10-01 15:58 -------- d-----w- e:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 17:51 . 2008-04-14 00:12 116224 -c--a-w- e:\windows\system32\dllcache\xrxwiadr.dll
2009-09-30 17:51 . 2001-08-18 02:36 23040 -c--a-w- e:\windows\system32\dllcache\xrxwbtmp.dll
2009-09-30 17:51 . 2008-04-14 00:12 18944 -c--a-w- e:\windows\system32\dllcache\xrxscnui.dll
2009-09-30 17:51 . 2001-08-18 02:37 27648 -c--a-w- e:\windows\system32\dllcache\xrxftplt.exe
2009-09-30 17:51 . 2001-08-18 02:37 4608 -c--a-w- e:\windows\system32\dllcache\xrxflnch.exe
2009-09-30 17:51 . 2001-08-18 02:37 99865 -c--a-w- e:\windows\system32\dllcache\xlog.exe
2009-09-30 17:49 . 2001-08-17 16:13 19528 -c--a-w- e:\windows\system32\dllcache\w840nd.sys
2009-09-30 17:48 . 2004-08-04 02:31 32384 -c--a-w- e:\windows\system32\dllcache\usb101et.sys
2009-09-30 17:47 . 2001-08-17 18:56 440576 -c--a-w- e:\windows\system32\dllcache\tridkb.dll
2009-09-30 17:46 . 2001-08-17 17:49 30464 -c--a-w- e:\windows\system32\dllcache\tbatm155.sys
2009-09-30 17:45 . 2001-08-17 16:11 48736 -c--a-w- e:\windows\system32\dllcache\srwlnd5.sys
2009-09-30 17:44 . 2001-08-17 16:10 35913 -c--a-w- e:\windows\system32\dllcache\smcirda.sys
2009-09-30 17:43 . 2001-07-21 18:29 161568 -c--a-w- e:\windows\system32\dllcache\sgsmusb.sys
2009-09-30 17:43 . 2001-07-21 18:29 18400 -c--a-w- e:\windows\system32\dllcache\sgsmld.sys
2009-09-30 17:43 . 2001-08-17 16:51 98080 -c--a-w- e:\windows\system32\dllcache\sgiulnt5.sys
2009-09-30 17:43 . 2001-08-18 02:36 386560 -c--a-w- e:\windows\system32\dllcache\sgiul50.dll
2009-09-30 17:43 . 2001-08-17 16:19 36480 -c--a-w- e:\windows\system32\dllcache\sfmanm.sys
2009-09-30 17:43 . 2001-08-17 17:53 6784 -c--a-w- e:\windows\system32\dllcache\serscan.sys
2009-09-30 17:43 . 2001-08-17 17:48 17664 -c--a-w- e:\windows\system32\dllcache\sermouse.sys
2009-09-30 17:43 . 2001-08-17 17:53 6912 -c--a-w- e:\windows\system32\dllcache\seaddsmc.sys
2009-09-30 17:43 . 2008-04-13 18:45 11520 -c--a-w- e:\windows\system32\dllcache\scsiscan.sys
2009-09-30 17:41 . 2001-08-18 02:36 79872 -c--a-w- e:\windows\system32\dllcache\rwia430.dll
2009-09-30 17:40 . 2001-08-17 17:52 40320 -c--a-w- e:\windows\system32\dllcache\ql1080.sys
2009-09-30 17:39 . 2008-04-13 18:44 27904 -c--a-w- e:\windows\system32\dllcache\perm2.sys
2009-09-30 17:38 . 2001-08-17 18:05 25088 -c--a-w- e:\windows\system32\dllcache\ovca.sys
2009-09-30 17:37 . 2001-08-17 18:56 91488 -c--a-w- e:\windows\system32\dllcache\n9i3disp.dll
2009-09-30 17:36 . 2001-08-17 17:48 6016 -c--a-w- e:\windows\system32\dllcache\msfsio.sys
2009-09-30 17:35 . 2001-08-17 17:53 4992 -c--a-w- e:\windows\system32\dllcache\loop.sys
2009-09-30 17:34 . 2001-08-17 16:12 45632 -c--a-w- e:\windows\system32\dllcache\ip5515.sys
2009-09-30 17:33 . 2008-04-14 00:11 702845 -c--a-w- e:\windows\system32\dllcache\i81xdnt5.dll
2009-09-30 17:32 . 2001-08-18 02:36 32768 -c--a-w- e:\windows\system32\dllcache\hpgtmcro.dll
2009-09-30 17:31 . 2001-08-17 16:15 455680 -c--a-w- e:\windows\system32\dllcache\fus2base.sys
2009-09-30 17:30 . 2001-08-18 02:36 51200 -c--a-w- e:\windows\system32\dllcache\eqnlogr.exe
2009-09-30 17:29 . 2001-08-18 02:36 236060 -c--a-w- e:\windows\system32\dllcache\ditrace.exe
2009-09-30 17:28 . 2001-08-17 16:19 42112 -c--a-w- e:\windows\system32\dllcache\crtaud.sys
2009-09-30 17:27 . 2001-08-17 17:51 13824 -c--a-w- e:\windows\system32\dllcache\bulltlp3.sys
2009-09-30 17:26 . 2001-08-17 16:19 553984 -c--a-w- e:\windows\system32\dllcache\adm8820.sys
2009-09-30 05:13 . 2009-08-20 21:51 195440 ------w- e:\windows\system32\MpSigStub.exe
2009-09-30 04:00 . 2009-10-02 00:14 -------- d-----w- e:\program files\Microsoft Security Essentials
2009-09-29 21:50 . 2005-01-14 06:41 11254 ----a-w- e:\windows\system32\locate.com
2009-09-29 18:46 . 2009-09-29 18:46 -------- d-----w- E:\ISeeYouXP
2009-09-29 18:45 . 2009-09-29 18:45 -------- d-----w- e:\program files\ExplorerXP
2009-09-27 02:32 . 2009-09-27 02:32 -------- d-sh--w- e:\windows\system32\config\systemprofile\IETldCache
2009-09-26 18:03 . 2009-09-30 10:41 -------- d-----w- e:\program files\a-squared Free
2009-09-24 14:14 . 2009-10-03 23:28 0 ----a-r- e:\windows\win32k.sys
2009-09-05 05:16 . 2009-09-05 05:16 -------- d-----w- e:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-09-05 05:16 . 2009-09-05 05:16 -------- d-----w- e:\documents and settings\Ed\Application Data\Office Genuine Advantage

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 03:15 . 2008-08-29 01:56 1324 ----a-w- e:\windows\system32\d3d9caps.dat
2009-10-04 00:19 . 2008-03-02 03:52 -------- d---a-w- e:\documents and settings\All Users\Application Data\TEMP
2009-10-03 02:07 . 2008-04-12 18:57 -------- d-----w- e:\program files\RegCure
2009-09-30 17:07 . 2006-07-14 13:18 -------- d-----w- e:\program files\Spybot - Search & Destroy
2009-09-30 17:07 . 2006-07-14 13:18 -------- d-----w- e:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 03:55 . 2006-07-15 04:06 -------- d-----w- e:\program files\Lavasoft
2009-09-25 12:35 . 2008-01-26 01:36 -------- d-----w- e:\documents and settings\All Users\Application Data\Lavasoft
2009-09-08 17:54 . 2008-03-17 02:09 -------- d-----w- e:\program files\Microsoft Silverlight
2009-09-02 12:49 . 2007-02-15 21:16 -------- d-----w- e:\program files\Bethesda Softworks
2009-08-23 14:19 . 2006-12-09 17:11 -------- d-----w- e:\program files\QuickTime
2009-08-18 03:21 . 2007-12-01 03:05 -------- d-----w- e:\program files\Canon
2009-08-18 03:20 . 2009-08-18 03:20 -------- d-----w- e:\documents and settings\All Users\Application Data\ZoomBrowser
2009-08-18 03:18 . 2009-08-18 03:18 -------- d-----w- e:\program files\Common Files\Canon
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- e:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- e:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- e:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- e:\windows\system32\OGAEXEC.exe
2009-07-25 09:23 . 2008-12-12 19:40 411368 ----a-w- e:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- e:\windows\system32\atl.dll
2009-07-15 21:40 . 2009-07-15 21:40 229208 ----a-w- e:\windows\system32\drivers\VMM.sys
2009-07-14 03:43 . 2004-08-04 12:00 286208 ----a-w- e:\windows\system32\wmpdxm.dll
2008-03-13 22:09 . 2008-03-13 22:09 0 -c--a-w- e:\program files\temp01
2001-10-05 15:53 . 2006-06-30 10:32 21866 -c--a-w- e:\program files\Common Files\tppupd2k.dll
2007-09-30 18:32 . 2007-09-30 18:32 0 -csh--w- e:\windows\S9259FD30.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="e:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="e:\program files\Microsoft IntelliType Pro\itype.exe" [2006-07-07 576320]
"nmctxth"="e:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-05-16 648504]
"NvCplDaemon"="e:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"QuickTime Task"="e:\program files\QuickTime\qttask.exe" [2009-08-23 413696]
"avast!"="e:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"nwiz"="nwiz.exe" - e:\windows\system32\nwiz.exe [2008-09-18 1657376]

e:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - e:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-6-24 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
path=
backup=

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^DigiCell.lnk]
backup=e:\windows\pss\DigiCell.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=e:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\E:^Documents and Settings^Ed^Start Menu^Programs^Startup^St. Johns County Library System Tray App.lnk]
backup=e:\windows\pss\St. Johns County Library System Tray App.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PopRock
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\Games\\CAVEDOG\\TOTALA\\prefrontend.exe"=
"e:\\Program Files\\Smartparts\\Smartparts Desktop\\OptiPix.exe"=
"e:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"e:\\WINDOWS\\system32\\dpvsetup.exe"=
"e:\\WINDOWS\\system32\\dxdiag.exe"=
"e:\\WINDOWS\\system32\\dpnsvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service

R3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [2006-05-09 835584]
R3 IPSECEXT;Nortel Extranet Access Protocol;e:\windows\system32\DRIVERS\ipsecw2k.sys [2006-05-09 155216]
R3 WFIOCTL;WFIOCTL;e:\program files\WinFast\WFTVFM\WFIOCTL.SYS [x]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;e:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 LinksysUpdater;Linksys Updater;e:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-01-15 204800]
S2 wlidsvc;Windows Live ID Sign-in Assistant;e:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
S3 Eacfilt;Eacfilt Miniport;e:\windows\system32\DRIVERS\eacfilt.sys [2006-05-09 24521]
S3 WFsys;WinFox Control I/O Driver;e:\windows\system32\DRIVERS\wfsys.sys [2002-04-22 13692]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"e:\windows\system32\rundll32.exe" "e:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-05 e:\windows\Tasks\RegCure Program Check.job
- e:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-10-05 e:\windows\Tasks\RegCure Startup.job
- e:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-10-04 e:\windows\Tasks\RegCure.job
- e:\program files\RegCure\RegCure.exe [2009-06-10 22:28]

2009-10-05 e:\windows\Tasks\User_Feed_Synchronization-{A2AD8B70-17B9-4A06-A27C-C7816CEC16C6}.job
- e:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.bls.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: turbotax.com
Trusted Zone: unitedmedia.com\www
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
AddRemove-DIVXCodec - e:\windows\rundll.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 23:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-926492609-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:6c,56,8a,88,ad,44,2d,e7,a3,65,1c,8c,9e,6b,6d,d8,0c,2f,67,46,9b,
2d,bd,71,b5,89,34,6e,f1,2c,3b,a4,00,09,26,b7,20,1c,7a,82,fd,10,dc,a0,66,63,\
"rkeysecu"=hex:ab,69,d1,dd,5a,b5,21,90,9d,1a,a8,19,e7,cd,16,7c

[HKEY_USERS\S-1-5-21-343818398-926492609-725345543-1003\Software\Zepter Software\RegLib*30bfa56e\AnyDVD/1]
"1"=dword:44ae3382
"2"=dword:450cbc16

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1768)
e:\windows\system32\ginamsi.dll

- - - - - - - > 'explorer.exe'(1204)
e:\windows\system32\WININET.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\program files\Microsoft Virtual PC\VPCShExH.DLL
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Ahead\InCD\InCDsrv.exe
e:\program files\Alwil Software\Avast4\aswUpdSv.exe
e:\program files\Alwil Software\Avast4\ashServ.exe
e:\program files\Java\jre6\bin\jqs.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\java.exe
e:\windows\system32\searchindexer.exe
e:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
e:\program files\Canon\CAL\CALMAIN.exe
e:\windows\system32\wscntfy.exe
e:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
e:\program files\Alwil Software\Avast4\ashMaiSv.exe
e:\windows\system32\searchprotocolhost.exe
e:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-10-05 23:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 03:31

Pre-Run: 29,662,674,944 bytes free
Post-Run: 31,093,444,608 bytes free

273 --- E O F --- 2009-10-04 07:00

[screen317]

Quote

Well I grabbed some guts

Looks like it helped.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

[FlashG]

Here is the F-Secure Online Scanner results.
------------------------------
Scanning Report
Tuesday, October 6, 2009 09:56:28 - 10:34:13
Computer name: EPG-AD8A10EF408
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\ E:\ G:\ H:\ I:\


--------------------------------------------------------------------------------

7 malware found
TrackingCookie.Adinterax (spyware)
System (Disinfected)
TrackingCookie.Atdmt (spyware)
System (Disinfected)
TrackingCookie.Revsci (spyware)
System (Disinfected)
TrackingCookie.Webtrends (spyware)
System (Disinfected)
TrackingCookie.Atwola (spyware)
System (Disinfected)
Trojan.Generic.1910083 (virus)
C:\WINFAST WORKAREA\GAMES\DIABLO II\DRUG+MASTER5.1.EXE (Renamed & Submitted)
Trojan.Generic.58451 (virus)
C:\WINFAST WORKAREA\COMPUTER\DVD STUFF - JIM\DVD\DVD2ONE2V2.0.0\DVD2ONE2V2.EXE (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 31085
System: 6401
Not scanned: 1
Actions:
Disinfected: 5
Renamed: 2
Deleted: 0
Not cleaned: 0
Submitted: 2
Files not scanned:
C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

[FlashG]

Here is the Security Check results.

----------------------------
Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
avast! Antivirus
Antivirus up to date! (On Access scanning disabled!)
``````````````````````````````
Anti-malware/Other Utilities Check:
Windows Defender Signatures
Java™ 6 Update 15
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 7.0.9
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
system32 fsonlinescanner.exe -?-
``````````````````````````````
DNS Vulnerability Check:
[color]nslookup.exe missing![/color]
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

[FlashG]

Problems identified so far:

- Microsoft update can't install "Security Update for Windows XP (KB956572)"

- Avast can't scan because of an unknown error "Skin is not complete. Look at the following description: Skin is not loaded properly." Then the program shuts down.
Actually I'm thinking of going with MS Defender or the new MS System Check.

[FlashG]

screen317

Once we get everything in order can you make any recommendations on the spyware & virus programs (Avast and Spybot S&D) that I am using ?

Is MS Defender or the new MS System Check better or worse than what I am now using?

Should I be running the various programs (Malwarebytes, ComboFix, HijackThis, F-Secure and Security Check) on a routine basis? Or are they after-the-fact troubleshooters?

[screen317]

Hi,


Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.


After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Java™ 6 Update 15
Java™ SE Runtime Environment 6 Update 1
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Adobe Reader 7.0.9

Restart your computer.

Get the latest version of Java and Adobe Reader.

FlashG, on Oct 6 2009, 08:29 AM, said:

- Microsoft update can't install "Security Update for Windows XP (KB956572)"

Is it giving you a particular error message?

Quote

- Avast can't scan because of an unknown error "Skin is not complete. Look at the following description: Skin is not loaded properly." Then the program shuts down.

Uninstall avast! and give AntiVir a try.

FlashG, on Oct 6 2009, 10:05 AM, said:

Once we get everything in order can you make any recommendations on the spyware & virus programs (Avast and Spybot S&D) that I am using ?

Yes once all of the issues are taken care of, I will give security recommendations.

Quote

Is MS Defender or the new MS System Check better or worse than what I am now using?

Windows Defender was never that great with detections; it's installed by default on Vista, but I would recommend MBAM over it.

Quote

Should I be running the various programs (Malwarebytes, ComboFix, HijackThis, F-Secure and Security Check) on a routine basis? Or are they after-the-fact troubleshooters?

Update and run MBAM habitually. Purchasing the pro version of MBAM (I highly recommend doing so) will give you realtime protection and automatic updating. ComboFix you have just removed; it is not recommended to run it unless under the supervision of a trained analyst. You can run the F-Secure online scan every so often if you'd like. SecurityCheck isn't worth running more than once in a long while; it's just a little program I wrote to help me out here on the forums.


Let me know how it goes.

-screen317

[FlashG]

Latest Update:

I replaced my Avast virus checker with Avira AntiVir. I also removed SpyBot S&D but have not added any new spyware program yet. Any suggestions?

I removed everything except malwarebytes. I plan on purchasing the pro version.

Got the latest version of Java and Adobe Reader.

I took a case out with Microsoft Support. We Verified the relevant Windows Update services and registered the Windows Update engine files. I can now access Windows Update as usual. I also sent them the WindowsUpdate.log.

I can access and install most updates except for KB890830 & KB956572 (malicious software removal & security updates). The windows power shelf KB926141 had no problem installing. The 2 programs downloaded & loaded but would not install. I also have the yellow instillation shield with the same 2 programs on my task bar. They won’t automatically install either. I then separately downloaded KB890830 & KB956572 and neather one would install.

Please understand that I don’t get any errors. The programs simply fail to install.

In leau of everything would you give security recommendations now?

[screen317]

Hi,

FlashG, on Oct 7 2009, 11:05 AM, said:

Latest Update:

I replaced my Avast virus checker with Avira AntiVir. I also removed SpyBot S&D but have not added any new spyware program yet. Any suggestions?

I removed everything except malwarebytes. I plan on purchasing the pro version.

Good choice. See the bottom of this post for my recommendations.

Quote

Got the latest version of Java and Adobe Reader.

Good.

Quote

I can access and install most updates except for KB890830 & KB956572 (malicious software removal & security updates). The windows power shelf KB926141 had no problem installing. The 2 programs downloaded & loaded but would not install. I also have the yellow instillation shield with the same 2 programs on my task bar. They won’t automatically install either. I then separately downloaded KB890830 & KB956572 and neather one would install.

Take up another case with Microsoft; they know their specific updates better than I do.




Please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.

Kerio
Comodo
Outpost

2) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

3) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

4) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

5) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

6) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

• Green to go
  
• Yellow for caution
  
• Red to stop

WOT has an addon available for both Firefox and IE.

7) Be sure to update your Antivirus and Antispyware programs often!


Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?




Safe surfing,

-screen317

[FlashG]

Is Malwarebytes and SpywareBlaster compatable with each other? It looks to me like they moth do similar things.

I really do appreciate all of your help and suggestions.

[screen317]

They protect you differently and work well side-by-side. SpywareBlaster is passive protection; it runs in the background and doesn't alert you of anything; MBAM, however, is active protection, waiting for an infection to begin to attempt to run (or waiting for you to visit a suspicious site) before acting.

-screen317