I see similar posts from other people, but haven't been able to leverage them to solve my problem. Several programs (Malwarebytes, AdAware, RegistryFix, GMER, HijackThis) will not run on my XP SP2 system. Symptoms are the same in all cases: I install program, launch program, start a scan, and program closes within seconds, and cannot be re-opened unless I uninstall / reinstall. Renaming the executables and installers does not help (I've tried with all of these programs).

Can anyone point me in the right direction? Thanks!

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
But use this version: http://download.bleepingcomputer.com/sUBs/...x++/sVchost.com (this is a modified version of Combofix since normal Combofix won't work in your case)

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

I followed your instructions, including deactivation of Avira's antivirus and firewall facilities.

One question before getting to the results:

Combofix asked if I had Windows XP Home Edition. I believe I said "No," because I have the Professional edition (SP2). However, when it installed the Recovery Console, the messages on screen referred to installation of the Recovery Console for Windows XP Home Edition. Do I need to uninstall Recovery Console for Home Edition, and manually install the version for Professional?

Combofix ran without errors, and deleted and restored some files. I can quickly see these improvements:

1) GMER no longer shows the strange DLL (\\?\globalroot\Device\__max++>\289A8304.x86.dll) that had been attached to several processes, which is good.

2) I had not been able to start a command window (CMD.EXE), and now I can.

3) MS Outlook had not been able to load MS Word as my editor, and now it can.

I don't know if everything is perfect, but this is a big improvement! Thanks!

Combofix log follows. I look forward to your conclusions.
===

ComboFix Beta_09-08-18.01 - Kevin Thompson 08/18/2009 12:02.1.2 - NTFSx86
Running from: c:\program files\Combofix\sVchost.com
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {11638345-E4FC-4BEE-BB73-EC754659C5F6}
FW: Avira Firewall *disabled* {11638345-E4FC-4BEE-BB73-EC754659C5F6}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\Pre11.tmp
c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\Pre1A.tmp
c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\Pre1D.tmp
c:\documents and settings\Kevin Thompson\Local Settings\Temporary Internet Files\webex.ini
c:\program files\FunWebProducts
c:\windows\Downloaded Program Files\Install.inf
c:\windows\Fonts\WPHV07NB.TTF
c:\windows\Installer\19608d8.msi
c:\windows\Installer\1e615.msi
c:\windows\Installer\7ce8c.msi
c:\windows\system32\sonhelp.htm
c:\windows\system32\tapi.nfo

Infected copy of c:\windows\system32\scecli.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\scecli.dll

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\system32\dllcache\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 19:05 . 2004-08-04 12:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-08-18 18:45 . 2009-08-18 18:55 -------- d-----w- c:\program files\Combofix
2009-08-16 20:27 . 2009-08-16 20:27 185344 ----a-w- c:\windows\system32\drivers\KeDetective130.sys
2009-08-16 19:56 . 2009-08-18 07:09 -------- d-----w- c:\program files\gmerprogram
2009-08-16 19:09 . 2009-08-16 20:50 -------- d-----w- c:\program files\KernDet
2009-08-16 19:07 . 2009-08-16 19:57 -------- d-----w- c:\program files\RadIns
2009-08-16 04:35 . 2009-08-18 03:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2009-08-16 04:05 . 2009-08-18 04:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-16 03:21 . 2009-08-16 03:23 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-08-16 02:44 . 2004-08-04 07:56 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2009-08-16 02:44 . 2001-08-18 05:36 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-08-16 02:44 . 2001-08-18 05:36 17408 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2009-08-16 02:42 . 2004-08-04 05:29 33599 -c--a-w- c:\windows\system32\dllcache\watv04nt.sys
2009-08-16 02:41 . 2001-08-17 20:28 793598 -c--a-w- c:\windows\system32\dllcache\usr1806.sys
2009-08-16 02:40 . 2001-08-17 19:51 159232 -c--a-w- c:\windows\system32\dllcache\tridkbm.sys
2009-08-16 02:39 . 2001-08-17 19:50 36640 -c--a-w- c:\windows\system32\dllcache\t2r4mini.sys
2009-08-16 02:38 . 2001-08-17 20:51 61824 -c--a-w- c:\windows\system32\dllcache\speed.sys
2009-08-16 02:37 . 2004-08-04 07:56 73796 -c--a-w- c:\windows\system32\dllcache\slserv.exe
2009-08-16 02:36 . 2001-08-17 20:53 6912 -c--a-w- c:\windows\system32\dllcache\seaddsmc.sys
2009-08-16 02:35 . 2001-08-18 05:36 26624 -c--a-w- c:\windows\system32\dllcache\rw450ext.dll
2009-08-16 02:34 . 2001-08-17 20:28 130942 -c--a-w- c:\windows\system32\dllcache\ptserlv.sys
2009-08-16 02:33 . 2001-08-17 19:11 35328 -c--a-w- c:\windows\system32\dllcache\pcntpci5.sys
2009-08-16 02:32 . 2001-08-17 19:50 198144 -c--a-w- c:\windows\system32\dllcache\nv3.sys
2009-08-16 02:31 . 2001-08-17 19:11 52255 -c--a-w- c:\windows\system32\dllcache\n1000nt5.sys
2009-08-16 02:30 . 2001-08-17 19:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2009-08-16 02:29 . 2001-08-18 05:36 242176 -c--a-w- c:\windows\system32\dllcache\kdsusd.dll
2009-08-16 02:28 . 2001-08-18 05:36 372824 -c--a-w- c:\windows\system32\dllcache\iconf32.dll
2009-08-16 02:27 . 2001-08-17 20:28 44863 -c--a-w- c:\windows\system32\dllcache\hsf_soar.sys
2009-08-16 02:26 . 2001-08-17 20:28 907456 -c--a-w- c:\windows\system32\dllcache\hcf_msft.sys
2009-08-16 02:25 . 2001-08-18 05:36 45568 -c--a-w- c:\windows\system32\dllcache\esunib.dll
2009-08-16 02:24 . 2001-08-17 21:07 20192 -c--a-w- c:\windows\system32\dllcache\dpti2o.sys
2009-08-16 02:23 . 2001-08-17 19:19 93952 -c--a-w- c:\windows\system32\dllcache\cwcwdm.sys
2009-08-16 02:22 . 2001-08-17 20:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2009-08-16 02:21 . 2004-08-04 05:29 30671 -c--a-w- c:\windows\system32\dllcache\ati1raxx.sys
2009-08-14 22:12 . 2009-08-16 03:13 -------- d-----w- c:\program files\RooRevealer
2009-08-14 21:33 . 2009-08-14 21:33 -------- d-----w- c:\program files\TM
2009-08-14 21:28 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-14 21:28 . 2009-08-16 22:42 -------- d-----w- c:\program files\mb
2009-08-14 21:28 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 02:17 . 2009-08-13 18:36 -------- d-----w- c:\program files\tool
2009-08-12 20:26 . 2009-08-12 20:26 -------- d-----w- c:\program files\RootRepeal
2009-08-12 05:15 . 2009-08-18 03:24 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-12 05:15 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
2009-08-12 05:15 . 2009-08-18 03:23 -------- d-----w- c:\program files\Lavasoft
2009-08-11 09:12 . 2009-08-11 09:12 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Avira
2009-08-11 08:18 . 2009-05-08 21:13 97608 ----a-w- c:\windows\system32\drivers\avfwot.sys
2009-08-11 08:18 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-08-11 08:18 . 2009-02-24 20:06 69632 ----a-w- c:\windows\system32\drivers\avfwim.sys
2009-08-11 08:18 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-08-11 08:18 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-08-11 08:18 . 2009-08-14 19:46 -------- d-----w- c:\program files\Avira
2009-08-11 08:18 . 2009-08-11 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2009-08-11 04:15 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-10 23:07 . 2009-08-10 23:07 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Malwarebytes
2009-08-10 23:07 . 2009-08-10 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-10 19:12 . 2009-08-10 19:12 -------- d-----w- c:\documents and settings\Administrator\Application Data\Subversion
2009-08-10 04:09 . 2009-08-10 04:09 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\UClick
2009-08-10 01:12 . 2009-08-10 01:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-08-10 01:10 . 2009-08-10 01:11 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}(2)
2009-08-10 00:52 . 2009-07-15 18:48 29000 ----a-w- c:\windows\system32\uxtuneup(2).dll
2009-08-10 00:52 . 2009-08-10 00:52 361288 ----a-w- c:\windows\system32\TuneUpDefragService(2).exe
2009-08-10 00:52 . 2009-08-10 00:52 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\TuneUp Software
2009-08-10 00:51 . 2009-08-10 01:11 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-10 00:51 . 2009-08-10 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-09 23:10 . 2009-08-09 23:10 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\URSoft
2009-08-09 23:00 . 2009-08-09 23:00 -------- d-----w- c:\program files\VS Revo Group
2009-08-09 02:13 . 2009-08-09 02:13 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\SUPERAntiSpyware.com
2009-08-09 01:52 . 2009-08-10 01:12 -------- d-----w- c:\program files\Norton Support
2009-08-08 23:41 . 2009-08-09 00:16 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-08 23:41 . 2009-08-09 00:15 -------- d-----w- c:\program files\NOS
2009-08-08 07:13 . 2009-08-10 17:39 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Microsoft
2009-08-08 07:11 . 2009-08-08 07:11 -------- d-sh--w- C:\found.000
2009-08-04 11:03 . 2009-08-04 11:04 108945018 ----a-w- C:\F_1249383830.reg
2009-07-31 00:10 . 2009-07-31 00:12 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Super-Cow
2009-07-31 00:07 . 2008-10-10 11:52 452440 ----a-w- c:\windows\system32\d3dx10_40.dll
2009-07-31 00:07 . 2008-10-10 11:52 2036576 ----a-w- c:\windows\system32\D3DCompiler_40.dll
2009-07-31 00:07 . 2008-10-10 11:52 4379984 ----a-w- c:\windows\system32\D3DX9_40.dll
2009-07-31 00:07 . 2008-10-27 17:04 514384 ----a-w- c:\windows\system32\XAudio2_3.dll
2009-07-31 00:07 . 2008-10-27 17:04 235856 ----a-w- c:\windows\system32\xactengine3_3.dll
2009-07-31 00:07 . 2008-10-27 17:04 70992 ----a-w- c:\windows\system32\XAPOFX1_2.dll
2009-07-31 00:07 . 2008-10-27 17:04 23376 ----a-w- c:\windows\system32\X3DAudio1_5.dll
2009-07-31 00:02 . 2009-07-31 00:02 -------- d-----w- c:\program files\Disney Interactive Studios
2009-07-30 03:52 . 2009-07-30 03:52 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\ERS G-Studio
2009-07-26 21:04 . 2009-07-26 21:04 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\Big Fish Games
2009-07-26 21:03 . 2009-07-26 21:03 -------- d-----w- c:\program files\Tasty Planet
2009-07-26 21:01 . 2009-07-26 21:01 -------- d-----w- c:\program files\Supercow
2009-07-26 20:55 . 2009-07-26 20:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Big Fish Games
2009-07-26 20:55 . 2009-07-26 20:55 -------- d-----w- c:\program files\Jigs@w Puzzle 2
2009-07-26 20:53 . 2009-07-26 20:53 -------- d-----w- c:\documents and settings\All Users\Application Data\EscapeFromParadise2
2009-07-26 20:52 . 2009-07-28 02:42 -------- d-----w- c:\program files\Escape From Paradise 2 - A Kingdom's Quest
2009-07-25 03:31 . 2009-07-26 21:52 -------- d-----w- c:\program files\Pet Pals Animal Doctor
2009-07-25 02:41 . 2009-07-25 02:41 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\ERS G-Studio
2009-07-25 01:24 . 2009-07-25 01:25 -------- d-----w- c:\program files\Many Years Ago
2009-07-21 22:19 . 2009-07-21 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy
2009-07-21 04:22 . 2009-07-21 05:42 -------- d-----w- c:\program files\World of Goo
2009-07-20 06:12 . 2009-07-20 06:12 -------- d-----w- c:\temp\org
2009-07-20 00:53 . 2009-07-20 00:53 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\UClick
2009-07-20 00:53 . 2009-07-20 00:53 -------- d-----w- c:\documents and settings\All Users\Application Data\UClick

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 19:09 . 2008-03-15 23:02 -------- d-----w- c:\program files\IDrive
2009-08-18 09:28 . 2007-05-22 20:02 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-18 05:16 . 2007-03-29 04:10 -------- d-----w- c:\program files\WinHex
2009-08-18 05:00 . 2007-11-17 17:40 -------- d-----w- c:\program files\Yahoo!
2009-08-18 03:40 . 2009-06-14 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-08-18 03:23 . 2007-09-30 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-17 06:44 . 2007-04-04 07:59 59160 ----a-w- c:\documents and settings\Kevin Thompson\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-14 20:12 . 2008-11-17 20:47 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-08-14 19:25 . 2007-03-26 04:22 -------- d-----w- c:\program files\Metapad
2009-08-12 03:55 . 2008-07-05 18:40 -------- d-----w- c:\program files\Ranch Rush
2009-08-11 07:57 . 2007-03-26 04:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-11 07:52 . 2008-10-09 18:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-11 07:44 . 2007-03-29 03:35 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\Skype
2009-08-11 07:20 . 2007-03-26 04:19 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-11 02:57 . 2008-12-05 23:47 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\skypePM
2009-08-10 18:34 . 2009-02-02 05:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-10 17:47 . 2007-07-27 01:48 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\Skype
2009-08-10 17:38 . 2008-12-18 05:44 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\skypePM
2009-08-10 04:08 . 2007-05-26 15:00 -------- d-----w- c:\documents and settings\All Users\Application Data\BigFishGamesCache
2009-08-10 03:37 . 2008-10-18 06:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-10 03:26 . 2008-10-09 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-08 23:36 . 2007-03-26 02:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-08 07:36 . 2008-04-10 02:16 -------- d-----w- c:\program files\NSecurityScan
2009-08-08 02:15 . 2009-05-14 21:04 -------- d-----w- c:\program files\Sony Online Entertainment
2009-08-07 22:06 . 2007-12-04 00:00 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\DivX
2009-07-31 00:02 . 2007-03-25 23:22 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-19 05:01 . 2009-07-19 03:18 -------- d-----w- c:\program files\Avalon
2009-07-18 23:49 . 2008-02-07 05:22 -------- d-----w- c:\program files\Nancy Drew - Legend of the Crystal Skull - Strategy Guide
2009-07-18 23:11 . 2007-04-05 23:36 -------- d-----w- c:\program files\The Learning Company
2009-07-17 20:48 . 2009-06-11 20:00 -------- d-----w- c:\program files\Mahjong Towers Eternity
2009-07-16 22:37 . 2007-04-14 19:47 -------- d-----w- c:\documents and settings\Helen Thompson\Application Data\PlayFirst
2009-07-10 22:15 . 2008-12-26 17:36 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\PlayFirst
2009-07-10 22:15 . 2008-01-24 01:56 -------- d-----w- c:\documents and settings\All Users\Application Data\PlayFirst
2009-07-10 04:56 . 2009-07-10 04:56 -------- d-----w- c:\program files\Emerald City Confidential
2009-07-03 04:21 . 2009-07-03 04:21 -------- d-----w- c:\documents and settings\Kevin Thompson\Application Data\InstallShield
2009-06-27 19:50 . 2009-02-01 03:11 -------- d-----w- c:\program files\Hidden Secrets - The Nightmare
2009-06-27 03:01 . 2007-04-14 19:25 19 ----a-w- c:\windows\popcinfo.dat
2009-06-21 01:42 . 2007-06-30 14:20 -------- d-----w- c:\program files\Professor Fizzwizzle and the Molten Mystery
2009-06-03 05:37 . 2009-06-03 05:37 390664 ----a-w- c:\documents and settings\Kevin Thompson\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2008-06-01 16:43 . 2008-06-01 16:43 0 ----a-w- c:\program files\temp01
2009-04-30 04:05 . 2009-04-30 04:05 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2009-04-30 04:05 . 2009-04-30 04:05 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2009-04-30 04:06 . 2009-04-30 04:06 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2009-04-30 04:06 . 2009-04-30 04:06 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue Registry Booster2"="c:\program files\Uniblue\RegistryBooster2\RegistryBooster.exe" [2007-04-23 1645088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-05 49152]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 158208]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-16 01:15 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Corel Registration.lnk]
backup=c:\windows\pss\Corel Registration.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Application Director 9.LNK]
backup=c:\windows\pss\Desktop Application Director 9.LNKCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
backup=c:\windows\pss\Device Detector 3.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Directrec Configuration Tool.lnk]
backup=c:\windows\pss\Directrec Configuration Tool.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Skype.lnk]
backup=c:\windows\pss\Skype.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Thompson^Start Menu^Programs^Startup^IDrive Tray.lnk]
backup=c:\windows\pss\IDrive Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Thompson^Start Menu^Programs^Startup^QuickShelf 2000.lnk]
backup=c:\windows\pss\QuickShelf 2000.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kevin Thompson^Start Menu^Programs^Startup^SDK Tray Menu.lnk]
backup=c:\windows\pss\SDK Tray Menu.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\e-Campaign 6\\eCampaign.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office 2007\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]
R3 CAIQ;CAIQ;c:\docume~1\KEVINT~1\LOCALS~1\Temp\CAIQ.exe [x]
R3 OTTFRYC;OTTFRYC;c:\docume~1\KEVINT~1\LOCALS~1\Temp\OTTFRYC.exe [x]
R3 PNDLXZPOW;PNDLXZPOW;c:\docume~1\KEVINT~1\LOCALS~1\Temp\PNDLXZPOW.exe [x]
R3 SDTHelper;Helper driver for SDT-Tool;c:\program files\RadIns\sdthlpr.sys [2009-05-22 13385]
R3 WLOOTXIUDBSJWSMCL;WLOOTXIUDBSJWSMCL;c:\docume~1\KEVINT~1\LOCALS~1\Temp\WLOOTXIUDBSJWSMCL.exe [x]
R4 JJLRGHIFYZEAAVXMKIE;JJLRGHIFYZEAAVXMKIE;c:\docume~1\KEVINT~1\LOCALS~1\Temp\JJLRGHIFYZEAAVXMKIE.exe [x]
S1 avfwot;avfwot;c:\windows\system32\DRIVERS\avfwot.sys [2009-05-08 97608]
S2 AntiVirFirewallService;Avira Firewall;c:\program files\Avira\AntiVir Desktop\avfwsvc.exe [2009-05-11 388865]
S2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\Avira\AntiVir Desktop\avmailc.exe [2009-05-11 194817]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\Avira\AntiVir Desktop\AVWEBGRD.EXE [2009-05-12 434945]
S2 IDriveE Service;IDriveE Service;c:\program files\IDrive\IDriveE Service.exe [2008-03-14 128464]
S2 Perforce;Perforce;c:\progra~1\Perforce\p4s.exe [2007-08-08 978944]
S3 avfwim;AvFw Packet Filter Miniport;c:\windows\system32\DRIVERS\avfwim.sys [2009-02-24 69632]

.
Contents of the 'Scheduled Tasks' folder

2009-08-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RRT-Auto - c:\documents and settings\Kevin Thompson\Desktop\RRT.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZRfox000
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\program files\Avira\AntiVir Desktop\avsda.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} - hxxps://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} - hxxp://www.digimeld.com/download/digimeldOcx.CAB
FF - ProfilePath - c:\documents and settings\Kevin Thompson\Application Data\Mozilla\Firefox\Profiles\wxgsy5sq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/r/ch
FF - plugin: c:\progra~1\SONYON~1\npsoe.dll
FF - plugin: c:\program files\Common Files\ParallelGraphics\Cortona\npCortona.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava11.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava12.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava13.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJava32.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPJPI142_14.dll
FF - plugin: c:\program files\Java\j2re1.4.2_14\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCortona.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 12:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1152)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'lsass.exe'(1208)
c:\program files\Avira\AntiVir Desktop\avsda.dll

- - - - - - - > 'explorer.exe'(7896)
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Olympus\DeviceDetector\DM1Service.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Perforce\p4s.exe
c:\windows\system32\locator.exe
c:\program files\IDrive\IDriveETray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-18 12:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 19:15

Pre-Run: 243,556,720,640 bytes free
Post-Run: 244,896,313,344 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

388 --- E O F --- 2009-01-14 08:18

Hi,

The recovery console installed fine here, so no worries.

Go to start > run and copy and paste next commands in the field, one by one and hit enter after each command:

sc delete CAIQ

sc delete OTTFRYC

sc delete PNDLXZPOW

sc delete WLOOTXIUDBSJWSMCL

sc delete JJLRGHIFYZEAAVXMKIE

Then,

* Go to start > run and copy and paste next command in the field:

"c:\program files\Combofix\sVchost.com" /u

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Let me know in your next reply how things are now.

Mieke,

The service deletion and Combofix uninstall worked without problems. I decided to do some scanning to see if anything else was left, and here's what I've found so far.

1) GMER hung my system about eight hours (!) into its Files scan. I saw these error dialogs



My mouse wouldn't work, but alt-tabbing to the dialog leg me hit Enter to click the OK button. This led me to the next dialog,




Same alt-tab approach got me through two more dialogs of the same type, but with different directories, namely:



After this, I had to hit the power switch in order to reboot.

Next I ran Malwarebytes Quick Scan, which produced this log:



Any thoughts on actions needed at this point?

I may run a Malwarebytes full scan overnight. If it succeeds, I'll post results.
Thanks!

Hi,

First of all, can you please update mbam, because you are running an outdated version.

Please ignore the problem with gmer. No need to run gmer + this error is not uncommon. It has been reported before on clean systems.
A reboot should have fixed the errors you got.

I updated MBAM. The log from a full scan follows. I look forward to your thoughts.

Thanks!

Hi,

As long as you don't select these leftovers for removal, they will stay, so please select and let mbam quarantine them.
Then reboot.

Also, no need for the full scan though. The quick scan is actually more powerful, smarter and way faster

Let me know in your next reply how things are now.

I quarantined, rebooted, deleted quarantine contents, had Malwarebytes perform the quick scan, and now see no infections:



Looks good! Is there anything else I should do, or does this wrap things up?

Thanks!

This looks OK here

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Beautiful! That was much easier (with your guidance) than I'd feared.

I'll look at those links.

Thanks so much!

Glad I could help
Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.