Solved Infected by rootkit zeroaccess

nbabe

Posts: 58   +0
ok im new here and ill be upfront my kids ruined this computer by doing whatever they damn please! but im the one who needs to be the savior. I learned we have bogus sofware(games mostly they admitted (and will clean them as soon as I can have access!and might need your hel pasfter to solve this!)

Since monday I tried to get help and followed alot of steps with no results. Here is what I tried super antispyware, rdkil, tdsskiller and mbam. first I couldnt do them in normal mode so did it in safe mode since I have no access to networking one. then I managed to do mbam in normal mode but cannot have acces to any other antispyware tells me im not authorized (dont get it im suppose to be the admin).Yesterday I was told to do a kapersky cd but my laptop couldnt so I had to burn it in the infected computer.(does it matter?) whatever it found I took action.

IM still not allowed in normal mode to do much. so then tried combo fix...thats when I saw the rootkit zero access message. so now that i know my problem I found your website (following a solved similar item)BTW I dont understand why they say my firewall is enabled is should be dsable I dont see it running

Cant run antivirus in normal mode excetp mbam see the log. everything else was run this week in safe mode it solved nothing. next in safe mode ill try gmer since it would nt run in normal mode. it stopped in the middle of it (found one problem but couldnt save the log since it never finished) and restarted my computer. trying now like its mentionned in the 5 steps by unchecking devices.


Right now using an old laptop which is very basic and slow so bear with me. Hope you guys can help me and im sorry in advance
im quite the basic user!


Malwarebytes Anti-Malware 1.60.0.1800
www.malwarebytes.org

Database version: v2012.01.12.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Owner :: NP [administrator]

2012-04-07 15:44:42
mbam-log-2012-04-07 (15-44-42).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231085
Time elapsed: 5 minute(s), 45 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

====================================================================

Can you run ANY of other 5 steps from safe mode?
 
mbam, yes (although its not updated since no internet access or cannot get into safemode with networking)
Gmer runs but then shuts downs and reboots my computer before giving a log tried 2 times once regular way and I saw a bug....
second time without devices tab checked and it did the same thing (restarted in the middle of it)

still didnt try dss in safe mode wanted to see first what should I do about gmer.
Should I run dss(try at least) in safe mode
BUT when earlier today I ran a combo fix it said avast and online armor firewall were running....I dont see them running (no icons)

DO you want me to try dss anyway in safe mode?
 
k will do but ....i do havea stupid question. we have 3 logins on this computer and mine is suppose to be admin.mine my daughter and her brother

In safe mode we also have 3 logins ...but now in safe its daughter mine and admin....do I still choose mine? cause I dunno where this admin comes from
 
dds attach:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2008-03-04 15:05:43
System Uptime: 2012-04-07 18:00:05 (0 hours ago)
.
Motherboard: Intel Corporation | | D915GSE
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | | 3200/800mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 233 GiB total, 33,604 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Scan 300/600(P)
Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
Manufacturer: Compeye
Name: USB Scan 300/600(P)
PNP Device ID: USB\VID_05CB&PID_1483\5&1AEC3740&0&1
Service: PV8630
.
Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_0A48&PID_3239\9203111
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_0A48&PID_3239\9203111
Service: USBSTOR
.
==== System Restore Points ===================
.
RP1431: 2012-04-05 16:46:12 - System Checkpoint
RP1432: 2012-04-07 13:31:29 - System Checkpoint
.
==== Installed Programs ======================
.
µTorrent
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe Acrobat 9.2.0 - CPSID_50026
Adobe AIR
Adobe Anchor Service CS4
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Recommended Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Illustrator CS4
Adobe Linguistics CS4
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop CS5
Adobe Reader 9.3.3
Adobe Reader Chinese Simplified Fonts
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player
Adobe SVG Viewer 3.0
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Aiseesoft DVD Creator 5.1.16
Analyseur et SDK MSXML 4.0 SP2
Antidote RX v3
AoA DVD Copy
AoA DVD Ripper
Ashampoo Burning Studio 2012 v10.0.15
avast! Antivirus
Avery® Wizard 2.1 for Microsoft® Office Word 2003
Babylon
Belltech Label Maker Pro 3.2
BigFix
BusinessCardsMX 3.99
CLUE Classic
Compatibility Pack for the 2007 Office system
Compeye 300/600 Driver
Connect
Critical Update for Windows Media Player 11 (KB959772)
Dark Tales 3 - Edgar Allan Poes The Premature Burial CE
Digimax Master
Digital Media Reader
Dr Paper 4
EasyFactures version Quebecoise
EasyRecovery Professional
Escape - Special Edition Bundle 1.00
Free PS Convert driver 8.15
French Spelling Settings
gamesfree Toolbar
GarageBot 5.5.4
Grammarly Add-In
Haali Media Splitter
High Definition Audio Driver Package - KB835221
HitmanPro 3.6
Home Plan Pro version 5.2.12.20
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
hp deskjet 3320 series
hp deskjet 3320 series (Remove only)
HP LaserJet 1200 Uninstaller
HP Photo and Imaging 2.0 - All-in-One Series Drivers
ImgBurn
Intel(R) Graphics Media Accelerator Driver
Japanese Fonts Support For Adobe Reader 9
Java 2 Runtime Environment, SE v1.4.2
Java Auto Updater
Java(TM) 6 Update 24
Jewel Quest Solitaire IIIJust For Fun Games
Junk Mail filter update
K-Lite Mega Codec Pack 3.9.0
kuler
Live Search Maps Add-In for Microsoft Office Outlook
Mae Q West and the Sign of the Stars
Malwarebytes Anti-Malware version 1.60.0.1800
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2003 Web Components
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office File Validation Add-In
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook 2003 Calendar Views Add-in
Microsoft Office Outlook Connector
Microsoft Office PowerPoint 2003 Template Pack 1
Microsoft Office PowerPoint 2003 Template Pack 2
Microsoft Office PowerPoint 2003 Template Pack 3
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2003 Redaction Add-in
Microsoft Outlook Personal Folders Backup
Microsoft Search Enhancement Pack
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft_VC80_ATL_x86
Microsoft_VC80_CRT_x86
Microsoft_VC80_MFC_x86
Microsoft_VC80_MFCLOC_x86
Microsoft_VC90_ATL_x86
Microsoft_VC90_CRT_x86
Microsoft_VC90_MFC_x86
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySQL Connector/ODBC 3.51
Nero 6 Ultra Edition
Online Armor 4.0
PDF Settings CS4
PDF Settings CS5
PDFZilla V1.2.9
Photoshop Camera Raw
Pickers - Adventures in Rust
PowerDVD
Primo
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
Remove Hidden Data Tool
Romancing the Seven Wonders - Taj Mahal % CompanyName%
Runtime
Samsung USB Driver
Scan 300 / 600 Driver
Secret Missions - Mata Hari and the Kaiser's Submarines 1.00
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
Simply Accounting by Sage 2008
SKIP BO Castaway Caper
Skype™ 4.2
SoftV92 Data Fax Modem with SmartCP
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
SpywareBlaster 4.1
Strange Cases The Lighthouse Mystery Collectors Edition 1.00
StyleEase for APA Style
Suite Shared Configuration CS4
SUPERAntiSpyware
System Requirements Lab for Intel
Tahiti Hidden Pearl
The Clockwork Man
The Matrix Revolutions 3D Screen Saver Donor Version v3.2
The Race
Tout sur les verbes Anglais
Trojan Remover 6.8.3
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
WD Diagnostics
WebFldrs XP
WinAVI Video Converter
Windows Backup Utility
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Mail
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows System Scanner
Windows XP Service Pack 3
WinRAR archiver
WinUAE 1.5.3
WinXP Manager
Word to PDF Converter 3.0
Xvid 1.1.3 final uninstall
.
==== Event Viewer Messages From Past Week ========
.
2012-04-07 16:49:23, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
2012-04-07 15:27:00, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for ImagePath with the following error: Access is denied.
2012-04-07 15:25:58, error: Service Control Manager [7023] - The Windows Firewall/Internet Connection Sharing (ICS) service terminated with the following error: The system cannot find the file specified.
2012-04-07 15:25:58, error: Service Control Manager [7000] - The SAS Core Service service failed to start due to the following error: Access is denied.
2012-04-07 14:56:27, error: Service Control Manager [7001] - The Network Location Awareness (NLA) service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: The system cannot find the file specified.
2012-04-07 14:56:27, error: Service Control Manager [7000] - The TCP/IP Protocol Driver service failed to start due to the following error: The system cannot find the file specified.
2012-04-07 14:56:24, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: Access is denied.
2012-04-07 14:55:10, error: Service Control Manager [7000] - The avast! Web Scanner service failed to start due to the following error: Access is denied.
2012-04-07 14:55:10, error: Service Control Manager [7000] - The avast! Mail Scanner service failed to start due to the following error: Access is denied.
2012-04-07 14:54:34, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: OAmon Tcpip
2012-04-07 14:54:32, error: Service Control Manager [7023] - The F700isw service terminated with the following error: The specified module could not be found.
2012-04-07 14:54:32, error: Service Control Manager [7001] - The IPSEC Services service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2012-04-07 14:54:32, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2012-04-07 14:54:32, error: Service Control Manager [7001] - The DHCP Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
2012-04-07 14:54:32, error: Service Control Manager [7000] - The Print Port Scanner Driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
2012-04-07 14:52:15, error: NetBT [4311] - Initialization failed because the driver device could not be created.
2012-04-07 14:50:58, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
2012-04-07 14:39:47, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT OADevice OAmon OAnet RasAcd Rdbss SASDIFSV SASKUTIL Tcpip WS2IFSL
2012-04-07 14:39:47, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
2012-04-07 14:39:47, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSec service which failed to start because of the following error: A device attached to the system is not functioning.
2012-04-07 14:39:47, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
2012-04-07 14:39:12, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
2012-04-07 13:16:23, error: Service Control Manager [7006] - The ScRegSetValueExW call failed for Start with the following error: Access is denied.
2012-04-07 09:07:56, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
2012-04-07 09:06:19, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Aavmker4 AFD aswSP aswTdi Fips intelppm MRxSmb NetBIOS NetBT OADevice OAmon OAnet RasAcd Rdbss SASDIFSV SASKUTIL Tcpip
2012-04-07 09:06:19, error: Service Control Manager [7003] - The IPSEC Services service depends on the following nonexistent service: IPSec
.
==== End Of File ===========================



dds ddstxt:

.
DDS (Ver_2011-08-26.01) - NTFSx86 MINIMAL
Internet Explorer: 8.0.6001.18702
Run by Owner at 18:05:13 on 2012-04-07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1208 [GMT -4:00]
.
AV: avast! antivirus 4.8.1368 [VPS 120404-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.cherche.us/Result.php?cx=partner-pub-0420647136319153%3A5n6ugpjrdrh&cof=GIMP%3ACCCCCC%3BT%3A000000%3BALC%3A551a8b%3BGFNT%3AB7B7B7%3BLC%3A2200cc%3BBGC%3AFFFFFF%3BVLC%3A551a8b%3BGALT%3A008B45%3BFORID%3A10%3BDIV%3A%23FFFFF0%3B&q={searchTerms}
mStart Page = hxxp://www.google.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: chat-land.org
Trusted Zone: francite.net
Trusted Zone: gamezebo.com\www
Trusted Zone: realtor.com\www
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.5.3.0.cab
TCP: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
TCP: Interfaces\{A2A8A90A-B713-4955-8394-15B36B415D11} : DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\online~2\oaevent.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-1-31 114768]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-25 223312]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-25 24656]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-25 29776]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-1-31 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\avast4 antivirus\ashServ.exe [2010-1-31 138680]
S2 BackupService;BackupService;c:\documents and settings\owner\application data\hp simplesave application\uUACTokenSvc.exe [2010-12-31 83512]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\hitmanpro\hmpsched.exe [2012-4-6 90952]
S2 OAcat;Online Armor Helper Service;c:\program files\online armor\oacat.exe [2009-12-25 1282248]
S2 SvcOnlineArmor;Online Armor;c:\program files\online armor\oasrv.exe [2009-12-25 3291336]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\avast4 antivirus\ashMaiSv.exe [2010-1-31 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\avast4 antivirus\ashWebSv.exe [2010-1-31 352920]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
.
=============== Created Last 30 ================
.
2012-04-07 13:10:19 98816 ----a-w- c:\windows\sed.exe
2012-04-07 13:10:19 518144 ----a-w- c:\windows\SWREG.exe
2012-04-07 13:10:19 256000 ----a-w- c:\windows\PEV.exe
2012-04-07 13:10:19 208896 ----a-w- c:\windows\MBR.exe
2012-04-07 13:10:09 -------- d-----w- C:\b
2012-04-07 00:27:15 -------- d-----w- c:\program files\HitmanPro
2012-04-07 00:26:49 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-04-07 00:23:43 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-04-07 00:23:43 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-04-07 00:23:43 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-04-07 00:23:43 598528 ----a-w- c:\windows\system32\ztv7z.dll
2012-04-07 00:23:43 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-04-07 00:23:43 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-04-07 00:23:43 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-04-07 00:23:41 -------- d-----w- c:\program files\Trojan Remover
2012-04-07 00:23:41 -------- d-----w- c:\documents and settings\all users\application data\Simply Super Software
2012-04-06 14:56:24 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-05 22:21:18 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com
2012-04-05 22:19:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-05 22:19:20 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-04-05 22:15:18 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-18 22:05:58 -------- d-----w- c:\program files\Jewel Quest Solitaire III
2012-03-18 22:05:12 -------- d--h--w- c:\windows\PIF
2012-03-10 20:23:27 -------- d-----w- c:\program files\Ashampoo Burning Studio 2012
2012-03-10 19:32:30 -------- d-----w- c:\documents and settings\owner\application data\Ashampoo
2012-03-10 00:06:13 -------- d-----w- c:\documents and settings\owner\local settings\application data\temp
2012-03-10 00:05:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\ashampoo
2012-03-10 00:05:57 -------- d-----w- c:\documents and settings\all users\application data\ashampoo
.
==================== Find3M ====================
.
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2003-07-12 00:04:00 46592 -c--a-w- c:\program files\KeyGen.exe
.
============= FINISH: 18:06:43,70 ===============
 
Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

=============================================================

Download Bootkit Remover to your desktop.

  • Unzip downloaded file to your Desktop.
  • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-07 18:15:49
-----------------------------
18:15:49.828 OS Version: Windows 5.1.2600 Service Pack 3
18:15:49.828 Number of processors: 2 586 0x304
18:15:49.828 ComputerName: NP UserName:
18:15:53.765 Initialize success
18:15:59.312 AVAST engine download error: 0
18:16:15.640 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17
18:16:15.640 Disk 0 Vendor: WDC_WD2500JD-22HBB0 08.02D08 Size: 238475MB BusType: 3
18:16:15.671 Disk 0 MBR read successfully
18:16:15.687 Disk 0 MBR scan
18:16:15.687 Disk 0 unknown MBR code
18:16:15.703 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238472 MB offset 63
18:16:15.734 Disk 0 scanning sectors +488392065
18:16:15.843 Disk 0 scanning C:\WINDOWS\system32\drivers
18:16:32.421 Service scanning
18:17:03.437 Modules scanning
18:17:12.593 Disk 0 trace - called modules:
18:17:12.625 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys
18:17:12.640 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a55f498]
18:17:12.656 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-17[0x8a596d98]
18:17:12.703 Scan finished successfully
18:17:23.421 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\antivirus 3 steps\MBR.dat"
18:17:23.578 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\antivirus 3 steps\aswMBR.txt"
18:17:40.906 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Owner\Desktop\MBR.dat"
18:17:40.921 The log file has been saved successfully to "C:\Documents and Settings\Owner\Desktop\aswMBR.txt"


bootkit


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 869670d31e461535ecca5b3e97963d9c

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...
 
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.
There are 4 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click Rkill and choose Run as Administrator
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.exe
  • Double-click on the Rkill icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.
Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

NOTE. Since you're running Combofix from safe mode disregard any warnings about some AV program ruinning.
 
rkill worked and said nothing was killed.

combo fix (used yours) in the middle of it said I was infected by rootkitzero access. then said a bit later it had rootkit activity and needed to restart the computer which it did automaticaly ( i made sure to go back in safe mode) and combo fix restarted alone after the computer restarted.
it did it another time after that and then the log was created dunno if thats normal

it got an error at the end a pop up message it said intrucstion 0x0070005f could not be read click ok to terminate or cancel to debug what do i do?

left the message there but combo fix finished heres the log

ComboFix 12-04-07.03 - Owner 2012-04-07 18:45:30.2.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1228 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 120404-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 )))))))))))))))))))))))))))))))
.
.
2012-04-07 13:10 . 2012-04-07 13:20 -------- d-----w- C:\b
2012-04-07 00:27 . 2012-04-07 00:27 -------- d-----w- c:\program files\HitmanPro
2012-04-07 00:26 . 2012-04-07 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-07 00:23 . 2010-10-24 11:06 598528 ----a-w- c:\windows\system32\ztv7z.dll
2012-04-07 00:23 . 2010-10-24 11:06 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-04-07 00:23 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-04-07 00:23 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-04-07 00:23 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-04-07 00:23 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-04-07 00:23 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\program files\Trojan Remover
2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2012-04-06 14:56 . 2012-04-06 19:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-05 22:21 . 2012-04-05 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2012-04-05 22:19 . 2012-04-05 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-05 22:19 . 2012-04-05 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-05 22:15 . 2012-04-05 22:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-05 17:14 . 2012-04-05 19:49 -------- d-----w- c:\documents and settings\Administrator.NP
2012-03-18 22:05 . 2012-03-18 22:05 -------- d-----w- c:\program files\Jewel Quest Solitaire III
2012-03-18 22:05 . 2012-03-18 22:05 -------- d--h--w- c:\windows\PIF
2012-03-10 20:23 . 2012-03-10 20:23 -------- d-----w- c:\program files\Ashampoo Burning Studio 2012
2012-03-10 19:32 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashampoo
2012-03-10 00:06 . 2012-03-10 00:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\temp
2012-03-10 00:05 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ashampoo
2012-03-10 00:05 . 2012-03-10 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2008-03-04 21:46 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 10:46 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-03-04 21:46 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2003-07-12 00:04 . 2008-09-21 17:51 46592 -c--a-w- c:\program files\KeyGen.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-07_20.08.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-07 22:57 . 2012-04-07 22:57 16384 c:\windows\temp\Perflib_Perfdata_2c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2009-12-05 923336]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-07 21:27 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2012-04-03 20:36 1238800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
"SunKistEM"=c:\program files\Digital Media Reader\shwiconem.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"Babylon Client"=c:\program files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"SwitchBoard"=c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"AlcWzrd"=ALCWZRD.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Persistence"=c:\windows\system32\igfxpers.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Kyodai Mahjongg 2006\\kmj.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [2011-08-11 116608]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-01-31 114768]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-25 223312]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-25 24656]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-25 29776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-01-31 20560]
S2 BackupService;BackupService;c:\documents and settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [2010-12-31 83512]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-04-06 90952]
S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2009-12-25 1282248]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2009-12-25 3291336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2011-06-02 11336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
atkkeyboardservice
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.cherche.us/Result.php?cx=partner-pub-0420647136319153%3A5n6ugpjrdrh&cof=GIMP%3ACCCCCC%3BT%3A000000%3BALC%3A551a8b%3BGFNT%3AB7B7B7%3BLC%3A2200cc%3BBGC%3AFFFFFF%3BVLC%3A551a8b%3BGALT%3A008B45%3BFORID%3A10%3BDIV%3A%23FFFFF0%3B&q={searchTerms}
mStart Page = hxxp://www.google.com
Trusted Zone: chat-land.org
Trusted Zone: francite.net
Trusted Zone: gamezebo.com\www
Trusted Zone: realtor.com\www
TCP: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-07 19:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(212)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(468)
c:\windows\system32\WININET.dll
.
Completion time: 2012-04-07 19:07:38 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-07 23:07
ComboFix2.txt 2012-04-07 20:13
.
Pre-Run: 36*028*829*696 bytes free
Post-Run: 36*010*668*032 bytes free
.
- - End Of File - - 1A411E6BD26A8274DB15B933DE9809E7
 
here is the error message I still have onscreen it popped during the end of combo fix...what do i do click ok or cancel?

---------------------------
pev.3XE - Application Error
---------------------------
The instruction at "0x0070005f" referenced memory at "0x0070005f". The memory could not be "read".


Click on OK to terminate the program
Click on CANCEL to debug the program
---------------------------
OK Cancel
---------------------------


combofixlog

ComboFix 12-04-05.06 - Administrator 04/07/2012 15:05:43.1.2 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1509.1243 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\antivirus 3 steps\b.exe
AV: avast! antivirus 4.8.1368 [VPS 120404-1] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Online Armor Firewall *Enabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.NP\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Berny\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Eliz\WINDOWS
c:\documents and settings\Owner\3320-enu-win2k_xp.exe
c:\documents and settings\Owner\Application Data\Island
c:\documents and settings\Owner\Application Data\Island\space.rgt
c:\documents and settings\Owner\Application Data\PriceGong
c:\documents and settings\Owner\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\4489.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Owner\Application Data\TMInc
c:\documents and settings\Owner\Application Data\TMInc\game.cfg
c:\documents and settings\Owner\Application Data\TMInc\user1.sav
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\6644nQ6.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\bPXsAg.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\Jbh5v.jpg
c:\documents and settings\Owner\Local Settings\Temporary Internet Files\P0rk1aXa3.jpg
c:\documents and settings\Owner\System
c:\documents and settings\Owner\System\win_qs8.jqx
c:\documents and settings\Owner\WINDOWS
c:\windows\system32\_000023_.tmp.dll
c:\windows\system32\_000024_.tmp.dll
c:\windows\system32\_000025_.tmp.dll
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\DC120fc7_32.dll
c:\windows\system32\dds_trash_log.cmd
.
.
((((((((((((((((((((((((( Files Created from 2012-03-07 to 2012-04-07 )))))))))))))))))))))))))))))))
.
.
2012-04-07 13:10 . 2012-04-07 13:20 -------- d-----w- C:\b
2012-04-07 00:27 . 2012-04-07 00:27 -------- d-----w- c:\program files\HitmanPro
2012-04-07 00:26 . 2012-04-07 00:26 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-04-07 00:23 . 2010-10-24 11:06 598528 ----a-w- c:\windows\system32\ztv7z.dll
2012-04-07 00:23 . 2010-10-24 11:06 178176 ----a-w- c:\windows\system32\ztvunrar39.dll
2012-04-07 00:23 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2012-04-07 00:23 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2012-04-07 00:23 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2012-04-07 00:23 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2012-04-07 00:23 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\program files\Trojan Remover
2012-04-07 00:23 . 2012-04-07 00:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2012-04-06 14:56 . 2012-04-06 19:25 -------- d---a-w- C:\Kaspersky Rescue Disk 10.0
2012-04-05 22:21 . 2012-04-05 22:21 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2012-04-05 22:19 . 2012-04-05 22:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-04-05 22:19 . 2012-04-05 22:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-04-05 22:15 . 2012-04-05 22:15 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-05 17:14 . 2012-04-05 19:49 -------- d-----w- c:\documents and settings\Administrator.NP
2012-03-18 22:05 . 2012-03-18 22:05 -------- d-----w- c:\program files\Jewel Quest Solitaire III
2012-03-18 22:05 . 2012-03-18 22:05 -------- d--h--w- c:\windows\PIF
2012-03-10 20:23 . 2012-03-10 20:23 -------- d-----w- c:\program files\Ashampoo Burning Studio 2012
2012-03-10 19:32 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Application Data\Ashampoo
2012-03-10 00:06 . 2012-03-10 00:06 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\temp
2012-03-10 00:05 . 2012-03-10 19:32 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\ashampoo
2012-03-10 00:05 . 2012-03-10 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\ashampoo
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-03 09:22 . 2008-03-04 21:46 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 10:46 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-03-04 21:46 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2003-07-12 00:04 . 2008-09-21 17:51 46592 -c--a-w- c:\program files\KeyGen.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\ONLINE~2\oaevent.dll" [2009-12-05 923336]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 -c--a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 -c--a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-03-07 21:27 3905920 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
2012-04-03 20:36 1238800 ----a-w- c:\program files\Trojan Remover\Trjscan.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="c:\program files\Skype\Phone\Skype.exe" /nosplash /minimized
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"High Definition Audio Property Page Shortcut"=HDAudPropShortcut.exe
"SunKistEM"=c:\program files\Digital Media Reader\shwiconem.exe
"HotKeysCmds"=c:\windows\system32\hkcmd.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"HPDJ Taskbar Utility"=c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"IgfxTray"=c:\windows\system32\igfxtray.exe
"Babylon Client"=c:\program files\Babylon\Babylon-Pro\Babylon.exe -AutoStart
"AdobeCS5ServiceManager"="c:\program files\Common Files\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
"SwitchBoard"=c:\program files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"SoundMan"=SOUNDMAN.EXE
"AlcWzrd"=ALCWZRD.EXE
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Persistence"=c:\windows\system32\igfxpers.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Kyodai Mahjongg 2006\\kmj.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [2011-08-11 116608]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-01-31 114768]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2009-12-25 223312]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2009-12-25 24656]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2009-12-25 29776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-01-31 20560]
S2 BackupService;BackupService;c:\documents and settings\Owner\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [2010-12-31 83512]
S2 HitmanProScheduler;HitmanPro Scheduler;c:\program files\HitmanPro\hmpsched.exe [2012-04-06 90952]
S2 OAcat;Online Armor Helper Service;c:\program files\Online Armor\oacat.exe [2009-12-25 1282248]
S2 SvcOnlineArmor;Online Armor;c:\program files\Online Armor\oasrv.exe [2009-12-25 3291336]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [2011-06-02 11336]
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
atkkeyboardservice
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{43eca3e4-1519-11e0-961f-0011116e4d04}]
\Shell\AutoRun\command - J:\HPLauncher.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uSearchMigratedDefaultURL = hxxp://www.cherche.us/Result.php?cx=partner-pub-0420647136319153%3A5n6ugpjrdrh&cof=GIMP%3ACCCCCC%3BT%3A000000%3BALC%3A551a8b%3BGFNT%3AB7B7B7%3BLC%3A2200cc%3BBGC%3AFFFFFF%3BVLC%3A551a8b%3BGALT%3A008B45%3BFORID%3A10%3BDIV%3A%23FFFFF0%3B&q={searchTerms}
mStart Page = hxxp://www.google.com
Trusted Zone: chat-land.org
Trusted Zone: francite.net
Trusted Zone: gamezebo.com\www
Trusted Zone: realtor.com\www
TCP: DhcpNameServer = 24.200.241.37 24.201.245.77 24.200.243.189
DPF: {C2B78FF1-6E5A-4854-AC24-E09A0E2411BA} - hxxp://static1.meetupstatic.com/applet/MeetUploader_200909.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{7ac1cacf-43d3-4b2b-861c-219bda77ecf1} - (no file)
Toolbar-{7ac1cacf-43d3-4b2b-861c-219bda77ecf1} - (no file)
Toolbar-Locked - (no file)
WebBrowser-{7AC1CACF-43D3-4B2B-861C-219BDA77ECF1} - (no file)
SafeBoot-11586904.sys
MSConfigStartUp-Internet Security - c:\documents and settings\All Users\Application Data\isecurity.exe
AddRemove-WhiteSmoke - c:\program files\WhiteSmoke\Uninst.exe
AddRemove-{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-113217220} - c:\program files\Gamenext\Brainiversity\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-07 16:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(208)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'explorer.exe'(1728)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2012-04-07 16:13:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-07 20:13
.
Pre-Run: 35,713,564,672 bytes free
Post-Run: 36*053*635*072 bytes free
.
- - End Of File - - 2FF15DC1CDC841E8322B72FF11AFE6D6
 
here is the error message I still have onscreen it popped during the end of combo fix...what do i do click ok or cancel?
Click OK.

See if you can boot to normal mode now.

Also, uninstall Trojan Remover, very questionable program.
 
I can boot to normal mode but still cant log into internet. want me to try if the antivirus will work now/? ie rkill or such wouldnt before

also tried to remove trojan remover in add or delete it told me u can delete shortcut did it. but I thought that was weird and I verified it is still in my programs....I tried to click uninstall there and i still do not have access
I get this error messge windows canot access the specified .....you may not have appropriate permission to acces the item?
 
We'll take care of Trojan Remover later.

Good news you can boot to normal mode.

Let's see about your internet connection.

Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.
 
as I mentionned in previous post, I can go to normal mode but cant open the software or anything else for that matter (documents programs). I always get the aforementionned message when I try to open a document or software i.e I may not have permission to access the item. Either its the virus or it removed my admin rights? dunno but I cnat open anything in normal mode dont have access.

Ill wait for indications of what to do next!
 
fss in safe:

Farbar Service Scanner Version: 01-03-2012
Ran by Owner (administrator) on 08-04-2012 at 15:11:57
Running from "C:\Documents and Settings\Owner\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Minimal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is OK.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.

Dhcp Service is not running. Checking service configuration:
The start type of Dhcp service is OK.
The ImagePath of Dhcp service is OK.
The ServiceDll of Dhcp service is OK.

afd Service is not running. Checking service configuration:
The start type of afd service is OK.
The ImagePath of afd service is OK.

NetBt Service is not running. Checking service configuration:
The start type of NetBt service is OK.
The ImagePath of NetBt service is OK.

Tcpip Service is not running. Checking service configuration:
The start type of Tcpip service is OK.
The ImagePath of Tcpip service is OK.

IpSec Service is not running. Checking service configuration:
The start type of IpSec service is OK.
The ImagePath of IpSec service is OK.


Connection Status:
==============
Localhost is blocked.
LAN connected.
Attempt to access Google IP returned error: Other errors
Attempt to access Yahoo IP returend error: Other errors


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is OK.
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.

netman Service is not running. Checking service configuration:
The start type of netman service is OK.
The ImagePath of netman service is OK.
The ServiceDll of netman service is OK.


Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is OK.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.
Checking LEGACY_wscsvc: Attention! Unable to open LEGACY_wscsvc\0000 registry key. The key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is OK.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".

BITS Service is not running. Checking service configuration:
The start type of BITS service is set to Demand. The default start type is Auto.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.

EventSystem Service is not running. Checking service configuration:
The start type of EventSystem service is OK.
The ImagePath of EventSystem: "C:\WINDOWS\system32\svchost.exe -k netsvcs".
The ServiceDll of EventSystem: "C:\WINDOWS\system32\es.dll".


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
aswTdi(1) Gpc(6) NetBT(5) OAmon(9) Tcpip(3)



**** End of log ****
 
Let's see if we can restore your internet connection.

1. Download winsock.zip
Unzip it.
Right click on Winsock.reg, click "Merge".
Allow registry merge.

2. Restart computer.

3. Go to Start ==> Control Panel. Double-click Network Connections. Right-click Local Area Connection, and select Properties.
  • On the General tab, click Install a popup window opens.
  • Select Protocol from the list and then click Add.
  • A new window opens, click Have Disk....
  • In the browse... box type c:\windows\inf
  • Click OK.
  • Select Internet Protocol (TCP/IP), and then click OK.
  • Restart and check the connection.
 
unfortunatly yes. still receive this message taht i dont have permission. wether it is for a regular software or antivirus
 
You said:
google page came up
You can open something then?

Lets run the following tool. This will help determine which files need permissions restored.

Please download and save Junction.zip

Unzip it and place Junction.exe in the Windows directory (C:\Windows).
Go to Start>Run (Vista and Windows 7 users use "Start search" box).
Copy and paste the following command in the Run box and click OK (Vista and Windows 7 users press "Enter"):

cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

A command window opens starting to scan the system.
Wait until a log file opens.
Copy and paste the log in your next reply.
 
Back