Redirected searches on IE and Firefox - please help, I have tried all kinds of anti-spyware and nothing is working

Hi Chzbrger,

Welcome to Dell Community Malware Removal Forums,

Sorry for the delay in getting to you, I'm K27 and i will be reviewing your log for you.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more diffecult.

Failure to reply in three (3) days will result in this topic being closed and I will remove it from my notifications, If you require more time then that is fine but please let me know.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:

• Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:

• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Then:

• Double click your Malwarebytes desktop icon
• Click the UPDATE tab at the top
• Scan for and install any updates it finds
• Then choose the SCANNER tab and run a FULL SCAN
• Once finished if MBAM found anything please click Show Results
• Make sure EVERYTHING has a check in the box next to it and then click Remove Selected
• Post the MBAM log results back to this thread

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

I then need to see some additional information about what is happening in your machine.
Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.com
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool.
• When done, DDS will open two (2) logs
  1. DDS.txt
  2. Attach.txt
• Save both reports to your desktop.
• The instructions here ask you to attach the Attach.txt.
  
• Instead of attaching, please copy/past both logs into your next reply.

   

   

• Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run.
After downloading the tool, disconnect from the internet and disable all antivirus protection.
Run the scan, enable your A/V and reconnect to the internet.
Information on A/V control HERE

Please copy/paste back the MBAM log and BOTH DDS logs for review.

Thanks.

Thank you for the response! Before I heard back I heard about the CWShredder application and it  may have solved my problem - would you still recommend having my logs analyzed? (I'm sorry I didn't have a chance to change my post before your response.) Thanks!

Hi,

I would strongly recommend posting the logs, with redirect issues there is a high chance that you may have a Rootkit on board. If you would like to continue, please post the logs provided.

Thanks.

OK, great, thanks. Here are the logs:

Malware Bytes log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6271

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

4/4/2011 9:05:18 PM
mbam-log-2011-04-04 (21-05-18).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 190348
Time elapsed: 43 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

DDS logs:

.
DDS (Ver_11-03-05.01) - NTFSx86 
Run by Eric DeYoung at 21:24:18.84 on Mon 04/04/2011
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.469 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Eric DeYoung\My Documents\Downloads\dds(1).com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://us.mg5.mail.yahoo.com/dc/launch?.gx=1&.rand=22iueibg12q0v
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://qwest.live.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Windows Internet Explorer
mDefault_Page_URL = hxxp://www.yahoo.com/?fr=fp-yma3
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma3
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn2\YTSingleInstance.dll
TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn2\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EPSON Stylus CX5000 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatibva.exe /fu "c:\windows\temp\E_S229.tmp" /EF "HKLM"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
uPolicies-system: DisableLockWorkstation = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo2.walgreens.com/WalgreensActivia.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\ericde~1\applic~1\mozilla\firefox\profiles\518xzb96.default\
FF - plugin: c:\program files\canon\zoombrowser ex\program\NPCIG.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-23 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-3-23 301528]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl26e284da;MpKsl26e284da;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{628f997f-9bc3-4b0b-81e7-d2d4a869f1b6}\MpKsl26e284da.sys [2011-4-4 28752]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-3-23 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-3-23 42184]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 aysavaxx;aysavaxx;\??\c:\windows\system32\drivers\aysavaxx.sys --> c:\windows\system32\drivers\aysavaxx.sys [?]
S1 dycihimh;dycihimh;\??\c:\windows\system32\drivers\dycihimh.sys --> c:\windows\system32\drivers\dycihimh.sys [?]
S1 gskrdqwk;gskrdqwk;\??\c:\windows\system32\drivers\gskrdqwk.sys --> c:\windows\system32\drivers\gskrdqwk.sys [?]
S1 hgcqpgrl;hgcqpgrl;\??\c:\windows\system32\drivers\hgcqpgrl.sys --> c:\windows\system32\drivers\hgcqpgrl.sys [?]
S1 htzwckvw;htzwckvw;\??\c:\windows\system32\drivers\htzwckvw.sys --> c:\windows\system32\drivers\htzwckvw.sys [?]
S1 ixthvmwc;ixthvmwc;\??\c:\windows\system32\drivers\ixthvmwc.sys --> c:\windows\system32\drivers\ixthvmwc.sys [?]
S1 kimezjsp;kimezjsp;\??\c:\windows\system32\drivers\kimezjsp.sys --> c:\windows\system32\drivers\kimezjsp.sys [?]
S1 lftjhcsc;lftjhcsc;\??\c:\windows\system32\drivers\lftjhcsc.sys --> c:\windows\system32\drivers\lftjhcsc.sys [?]
S1 njmctyra;njmctyra;\??\c:\windows\system32\drivers\njmctyra.sys --> c:\windows\system32\drivers\njmctyra.sys [?]
S1 nraokdhg;nraokdhg;\??\c:\windows\system32\drivers\nraokdhg.sys --> c:\windows\system32\drivers\nraokdhg.sys [?]
S1 nzjfxqjs;nzjfxqjs;\??\c:\windows\system32\drivers\nzjfxqjs.sys --> c:\windows\system32\drivers\nzjfxqjs.sys [?]
S1 obfvlddf;obfvlddf;\??\c:\windows\system32\drivers\obfvlddf.sys --> c:\windows\system32\drivers\obfvlddf.sys [?]
S1 pqpsozec;pqpsozec;\??\c:\windows\system32\drivers\pqpsozec.sys --> c:\windows\system32\drivers\pqpsozec.sys [?]
S1 qgffakcw;qgffakcw;\??\c:\windows\system32\drivers\qgffakcw.sys --> c:\windows\system32\drivers\qgffakcw.sys [?]
S1 rnhetqzs;rnhetqzs;\??\c:\windows\system32\drivers\rnhetqzs.sys --> c:\windows\system32\drivers\rnhetqzs.sys [?]
S1 sctxshpc;sctxshpc;\??\c:\windows\system32\drivers\sctxshpc.sys --> c:\windows\system32\drivers\sctxshpc.sys [?]
S1 sparyilh;sparyilh;\??\c:\windows\system32\drivers\sparyilh.sys --> c:\windows\system32\drivers\sparyilh.sys [?]
S1 tmvmfdhb;tmvmfdhb;\??\c:\windows\system32\drivers\tmvmfdhb.sys --> c:\windows\system32\drivers\tmvmfdhb.sys [?]
S1 tmywegcr;tmywegcr;\??\c:\windows\system32\drivers\tmywegcr.sys --> c:\windows\system32\drivers\tmywegcr.sys [?]
S1 vajeveck;vajeveck;\??\c:\windows\system32\drivers\vajeveck.sys --> c:\windows\system32\drivers\vajeveck.sys [?]
S1 vehhyiet;vehhyiet;\??\c:\windows\system32\drivers\vehhyiet.sys --> c:\windows\system32\drivers\vehhyiet.sys [?]
S2 gupdate1c98a12e8536556;Google Update Service (gupdate1c98a12e8536556);c:\program files\google\update\GoogleUpdate.exe [2009-2-8 133104]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
.
=============== Created Last 30 ================
.
2011-04-04 21:56:39    28752    ----a-w-    c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{628f997f-9bc3-4b0b-81e7-d2d4a869f1b6}\MpKsl26e284da.sys
2011-04-04 21:55:50    6792528    ----a-w-    c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{628f997f-9bc3-4b0b-81e7-d2d4a869f1b6}\mpengine.dll
2011-04-03 19:34:58    --------    d-----w-    c:\program files\CCleaner
2011-04-01 01:46:16    6792528    ----a-w-    c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-30 17:16:49    222080    ------w-    c:\windows\system32\MpSigStub.exe
2011-03-30 17:07:27    --------    d-----w-    c:\program files\Microsoft Security Client
2011-03-29 13:49:10    388096    ----a-r-    c:\docume~1\ericde~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-03-28 18:50:55    --------    d-----w-    c:\documents and settings\eric deyoung\DoctorWeb
2011-03-26 20:40:12    --------    d-----w-    c:\docume~1\ericde~1\applic~1\Malwarebytes
2011-03-26 20:39:55    38224    ----a-w-    c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-26 20:39:49    --------    d-----w-    c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-03-26 20:39:38    20952    ----a-w-    c:\windows\system32\drivers\mbam.sys
2011-03-26 20:39:37    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-03-25 20:35:48    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2011-03-25 20:35:48    --------    d-----w-    c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-25 19:38:59    1975768    ----a-w-    c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-25 19:38:59    19416    ----a-w-    c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-03-25 19:38:59    1893336    ----a-w-    c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-25 19:38:59    125912    ----a-w-    c:\program files\mozilla firefox\crashreporter.exe
2011-03-25 19:28:55    --------    d-----w-    c:\docume~1\ericde~1\locals~1\applic~1\Mozilla
2011-03-24 13:26:51    --------    d-----w-    c:\program files\SpywareBlaster
2011-03-23 14:06:02    371544    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2011-03-23 14:05:40    40648    ----a-w-    c:\windows\avastSS.scr
2011-03-23 13:44:15    --------    d-----w-    c:\windows\system32\wbem\repository\FS
2011-03-23 13:44:15    --------    d-----w-    c:\windows\system32\wbem\Repository
2011-03-23 13:23:43    --------    d-----w-    c:\docume~1\ericde~1\applic~1\Sammsoft
2011-03-23 13:23:31    --------    d-----w-    c:\program files\ARO 2011
.
==================== Find3M  ====================
.
2011-04-01 13:36:15    502272    ----a-w-    c:\windows\system32\winlogon.exe
2011-04-01 13:36:15    1033216    ----a-w-    c:\windows\explorer.exe
2011-02-04 23:48:32    456192    ----a-w-    c:\windows\system32\encdec.dll
2011-02-04 23:48:30    291840    ----a-w-    c:\windows\system32\sbe.dll
2009-04-11 16:02:15    21068096    ----a-w-    c:\program files\FTBDL.exe
.
============= FINISH: 21:25:54.17 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 10/20/2006 3:00:50 PM
System Uptime: 4/4/2011 2:08:38 AM (19 hours ago)
.
Motherboard: Dell Inc. |  | 0KD882
Processor: Genuine Intel(R) CPU           T2300  @ 1.66GHz | Microprocessor | 1661/133mhz
Processor: Genuine Intel(R) CPU           T2300  @ 1.66GHz | Microprocessor | 1662/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 79 GiB total, 41.564 GiB free.
D: is FIXED (NTFS) - 27 GiB total, 26.447 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 3/17/2011 8:12:19 PM - System Checkpoint
RP2: 3/18/2011 8:22:43 PM - System Checkpoint
RP3: 3/19/2011 9:09:06 PM - System Checkpoint
RP4: 3/20/2011 9:37:19 PM - System Checkpoint
RP5: 3/21/2011 9:58:17 PM - System Checkpoint
RP6: 3/23/2011 8:23:31 AM - ARO 2011 - Before Installation
RP7: 3/23/2011 8:24:05 AM - ARO 2011 - FIRST RUN
RP8: 3/23/2011 8:32:26 AM - ARO 2011 Wed, Mar 23, 11  08:32
RP9: 3/23/2011 8:43:00 AM - Restore Operation
RP10: 3/23/2011 9:05:33 AM - avast! Free Antivirus Setup
RP11: 3/24/2011 9:26:35 AM - System Checkpoint
RP12: 3/25/2011 9:58:28 AM - System Checkpoint
RP13: 3/26/2011 4:15:15 PM - System Checkpoint
RP14: 3/28/2011 2:16:48 PM - System Checkpoint
RP15: 3/29/2011 8:49:07 AM - Installed HiJackThis
RP16: 3/30/2011 8:51:00 AM - System Checkpoint
RP17: 3/31/2011 9:15:37 AM - System Checkpoint
RP18: 3/31/2011 8:45:41 PM - Software Distribution Service 3.0
RP19: 4/2/2011 9:59:02 AM - Software Distribution Service 3.0
RP20: 4/3/2011 12:47:50 PM - Software Distribution Service 3.0
RP21: 4/4/2011 1:22:50 PM - System Checkpoint
RP22: 4/4/2011 4:55:16 PM - Software Distribution Service 3.0
RP23: 4/4/2011 8:16:06 PM - Removed NetWaiting
RP24: 4/4/2011 8:16:47 PM - Removed NetZeroInstallers
.
==== Installed Programs ======================
.
Actiontec Gateway
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 7.0.8
AOLIcon
avast! Free Antivirus
Broadcom Management Programs
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MOV Decoder
Canon MOV Encoder
Canon MovieEdit Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 3.8
Canon Utilities EOS Utility
Canon Utilities Original Data Security Tools
Canon Utilities PhotoStitch
Canon Utilities Picture Style Editor
Canon Utilities WFT Utility
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
CCleaner
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Digital Jukebox Driver
Dell Support 3.2
Dell System Restore
Dell Wireless WLAN Card
Digital Content Portal
Digital Line Detect
DIGOpt
DIGReqEx
Documentation & Support Launcher
ELIcon
EPSON CX5000 Series User's Guide
EPSON Printer Software
EPSON Scan
EPSON Stylus CX5000 Scanner Driver Update
EPSON Web-To-Page
Family Tree Maker 2006
Games, Music, & Photos Launcher
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
High Definition Audio Driver Package - KB835221
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB908673)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB981793)
Intel(R) Graphics Media Accelerator Driver
Internet Service Offers Launcher
LiveUpdate 2.6 (Symantec Corporation)
Malwarebytes' Anti-Malware
MathPlayer
McAfee Security Scan Plus
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office Outlook Connector
Microsoft Picture It! Library 9
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 4.0 (x86 en-US)
MSN
MSN Encarta Plus Support Files
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB973686)
OneCare Advisor (Windows Live Toolbar)
Otto
Photo Transport
PowerDVD 5.7
QuickConnect
QuickTime
Qwest eChat Support Tools
RealPlayer Basic
SearchAssist
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Smart Menus (Windows Live Toolbar)
Sonic Encoders
SpywareBlaster 4.4
Tweak UI
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB914882)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
WebEx Support Manager for Internet Explorer
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890927
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892627
Windows XP Hotfix - KB893056
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar
.
==== Event Viewer Messages From Past Week ========
.
4/1/2011 8:16:06 AM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: \??\C:\WINDOWS\system32\winlogon.exe     Action: Clean     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
4/1/2011 8:16:06 AM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: NT AUTHORITY\SYSTEM     Process Name: C:\WINDOWS\Explorer.EXE     Action: Clean     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:13 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: \??\C:\WINDOWS\system32\winlogon.exe     Action: Quarantine     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:13 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: C:\WINDOWS\Explorer.EXE     Action: Quarantine     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:12 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: \??\C:\WINDOWS\system32\winlogon.exe     Action: Clean     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:49:12 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: C:\WINDOWS\Explorer.EXE     Action: Clean     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:52 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: \??\C:\WINDOWS\system32\winlogon.exe     Action: Quarantine     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:52 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: C:\WINDOWS\Explorer.EXE     Action: Quarantine     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:51 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\system32\winlogon.exe;process:_pid:912     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: \??\C:\WINDOWS\system32\winlogon.exe     Action: Clean     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:48:51 PM, error: Microsoft Antimalware [1119]  - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Virus:Win32/Bamital.L&threatid=2147643949     Name: Virus:Win32/Bamital.L     ID: 2147643949     Severity: Severe     Category: Virus     Path: file:_C:\WINDOWS\explorer.exe;process:_pid:268;winlogonshell:_HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON\\SHELL:Explorer.exe     Detection Origin: Local machine     Detection Type: Concrete     Detection Source: Real-Time Protection     User: D8CVMYB1\Eric DeYoung     Process Name: C:\WINDOWS\Explorer.EXE     Action: Clean     Action Status:  To finish removing malware and other potentially unwanted software, restart the computer.      Error Code: 0x800704ec     Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator.      Signature Version: AV: 1.101.563.0, AS: 1.101.563.0, NIS: 0.0.0.0     Engine Version: AM: 1.1.6702.0, NIS: 0.0.0.0
3/31/2011 8:33:30 PM, error: ipnathlp [32003]  - The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.
3/30/2011 12:10:02 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Download     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240022     Error description: The program can't check for definition updates.
3/30/2011 12:10:02 PM, error: Microsoft Antimalware [2001]  - Microsoft Antimalware has encountered an error trying to update signatures.     New Signature Version:      Previous Signature Version: 0.0.0.0     Update Source: Microsoft Update Server     Update Stage: Download     Source Path: http://www.microsoft.com     Signature Type: AntiVirus     Update Type: Full     User: NT AUTHORITY\SYSTEM     Current Engine Version:      Previous Engine Version: 0.0.0.0     Error code: 0x80240022     Error description: The program can't check for definition updates.
.
==== End Of File ===========================

Hi,

Your system is still very heavily infected, There are system critical files that have been infected, if any security applications prompt to remove anything, please DO NOT allow it to do so.

Before we dive into the clean up, we need to take some precautions, first we need to remove one of them Anti-Virus programs that you have installed, having more than one AV is not a good idea, that will conflict with each other and leave your system just as vulnerable as not having any. Both Avast and MS Security Essentials are both very good so it is up to you which one you keep. Please pick one and then uninstall the other.

Please also uninstall:

LiveUpdate 2.6 (Symantec Corporation)
McAfee Security Scan Plus

And then reboot the system.

Then Please Open notepad and copy/paste the text in the quote box below into it:

@echo off cls echo................Searching for File.............. echo...............Please be patient................ echo...............DO NOT Close this Windows........ dir /a d /s "%systemdrive%\explorer.*" > log.txt dir /a d /s "%systemdrive%\Winlogon.*" >> log.txt notepad log.txt del %0

Save this as search.bat
Choose to "Save type as - All Files"
Save it on your desktop.

It should look like this:
Double click on search.bat & allow it to run.

A black DOS window will open, please be patient. Even if it reports No file Found, just leave it for a while to find the files and wait for the Notepade file to open automatically.

Once the search has finished there will be a notepad file saved to your desktop, please copy/paste the contents of the notepad file be to me. And please let me know which AV you decided to keep so we can remove any remain of the other should we need to.

Thanks
K27

 Hi K27,

I kept the Avast and got rid of the Microsoft Security Essentials. Thanks for your help, here is the log file contents:

Volume in drive C has no label.
 Volume Serial Number is 747B-4471

 Directory of C:\i386

08/10/2004  05:00 AM           359,533 EXPLORER.EX_
08/10/2004  05:00 AM               181 EXPLORER.SC_
               2 File(s)        359,714 bytes

 Directory of C:\WINDOWS

04/01/2011  08:36 AM         1,033,216 explorer.exe
08/10/2004  05:00 AM                80 explorer.scf
               2 File(s)      1,033,296 bytes

 Directory of C:\WINDOWS\$hf_mig$\KB938828\SP2QFE

06/13/2007  06:26 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

 Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008  07:12 PM         1,033,728 explorer.exe
               1 File(s)      1,033,728 bytes

 Directory of C:\WINDOWS\system32\dllcache

06/13/2007  05:23 AM         1,033,216 explorer.exe
               1 File(s)      1,033,216 bytes

     Total Files Listed:
               7 File(s)      4,493,170 bytes
               0 Dir(s)  44,741,414,912 bytes free
 Volume in drive C has no label.
 Volume Serial Number is 747B-4471

 Directory of C:\i386

08/10/2004  05:00 AM           502,272 winlogon.exe
               1 File(s)        502,272 bytes

 Directory of C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e

04/13/2008  07:12 PM           507,904 winlogon.exe
               1 File(s)        507,904 bytes

 Directory of C:\WINDOWS\system32

04/01/2011  08:36 AM           502,272 winlogon.exe
               1 File(s)        502,272 bytes

     Total Files Listed:
               3 File(s)      1,512,448 bytes
               0 Dir(s)  44,741,414,912 bytes free

Hi,

Good Work,

Please Disable all Anti-virus/Anti-Spyware/FireWall on your machine(instructions via links below)

• Anti Virus
• Anti Spyware
• Firewall

Please download ComboFix.exe. Please visit THIS webpage for download links, and instructions for running the tool:

ComboFix MUST be saved to your desktop before running the tool

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

When prompted to install the recovery console please make sure to do so as this is a VERY IMPORTANT backup of ComboFix (XP only, Vista/Windows 7 will NOT be propmted to install the recovery console)

You will need to be conected to the net to install the recovery console, if you can not install it DO NOT run ComboFix,
Post back and we will install it manually.

DO NOT mouse click when ComboFix is running as this will cause ComboFix to Stall and it will not work as it should

EXTRA NOTES:

• If Combofix detects a Rootkit on the system it will give a warning and prompt for a reboot, please allow it to do so.
• If Combofix reboot's due to a rootkit, the screen may stay black for a few minutes on reboot, this is normal
• On some Vista machines, after running Combofix, you may receive a warning message about registry key's being listed for deletion, when trying to open certain programs. Please reboot the system and this will fix the issue (These certain items will not be deleted)

Please include the C:\ComboFix.txt in your next reply for further review.

Thanks,
K27.

Hi,

I don't think I can install Windows Recovery Console? THanks.

Hi,

Please explain further, what is the exact problem.

Thanks.

Sorry - not sure what I did wrong but tried again and got it installed. Even though I disabled Avast for an hour, it restarted when the computer restarted during ComboFix and I had to disable it again - doesn't seem like it interfered with ComboFix though.

Here is the ComboFix log:

ComboFix 11-04-06.03 - Eric DeYoung 04/07/2011   8:50.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1014.586 [GMT -5:00]
Running from: c:\documents and settings\Eric DeYoung\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Eric DeYoung\WINDOWS
.
c:\windows\system32\winlogon.exe . . . is infected!!
.
Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
.
.
(((((((((((((((((((((((((   Files Created from 2011-03-07 to 2011-04-07  )))))))))))))))))))))))))))))))
.
.
2011-04-07 01:57 . 2002-01-08 22:00    176128    ----a-w-    c:\windows\system32\RcdScan.dll
2011-04-07 01:57 . 2000-03-23 17:50    446464    ----a-r-    c:\windows\system32\hhactivex.dll
2011-04-07 01:57 . 1999-05-07 18:24    645616    ----a-w-    c:\windows\system32\MSCOMCT2.OCX
2011-04-07 01:57 . 1999-05-07 18:24    414944    ----a-w-    c:\windows\system32\COMCT332.OCX
2011-04-07 01:57 . 1998-11-10 15:46    328480    ----a-w-    c:\windows\system32\ssa3d30.ocx
2011-04-07 01:57 . 1998-06-18 04:00    89360    ----a-w-    c:\windows\system32\VB5DB.DLL
2011-04-07 01:56 . 2000-01-04 10:39    212992    ----a-w-    c:\program files\Common Files\InstallShield\Engine\6\Intel 32\ILog.dll
2011-04-05 23:58 . 2011-04-05 23:58    --------    d--h--w-    c:\windows\system32\GroupPolicy
2011-04-03 19:34 . 2011-04-03 19:35    --------    d-----w-    c:\program files\CCleaner
2011-03-30 17:16 . 2010-10-19 20:51    222080    ------w-    c:\windows\system32\MpSigStub.exe
2011-03-28 18:50 . 2011-03-28 18:50    --------    d-----w-    c:\documents and settings\Eric DeYoung\DoctorWeb
2011-03-26 20:40 . 2011-03-26 20:40    --------    d-----w-    c:\documents and settings\Eric DeYoung\Application Data\Malwarebytes
2011-03-26 20:39 . 2011-03-26 20:39    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes
2011-03-26 20:39 . 2011-04-07 01:06    --------    d-----w-    c:\program files\Malwarebytes' Anti-Malware
2011-03-25 20:35 . 2011-04-05 02:17    --------    d-----w-    c:\program files\Spybot - Search & Destroy
2011-03-25 20:35 . 2011-04-05 02:17    --------    d-----w-    c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-25 19:28 . 2011-03-25 19:28    --------    d-----w-    c:\documents and settings\Eric DeYoung\Local Settings\Application Data\Mozilla
2011-03-24 13:26 . 2011-04-07 13:44    --------    d---a-w-    c:\documents and settings\All Users\Application Data\TEMP
2011-03-24 13:26 . 2011-03-26 20:53    --------    d-----w-    c:\program files\SpywareBlaster
2011-03-23 14:06 . 2011-02-23 13:56    301528    ----a-w-    c:\windows\system32\drivers\aswSP.sys
2011-03-23 14:06 . 2011-02-23 13:54    19544    ----a-w-    c:\windows\system32\drivers\aswFsBlk.sys
2011-03-23 14:06 . 2011-02-23 13:55    25432    ----a-w-    c:\windows\system32\drivers\aswRdr.sys
2011-03-23 14:06 . 2011-02-23 13:56    371544    ----a-w-    c:\windows\system32\drivers\aswSnx.sys
2011-03-23 14:06 . 2011-02-23 13:55    49240    ----a-w-    c:\windows\system32\drivers\aswTdi.sys
2011-03-23 14:06 . 2011-02-23 13:55    102232    ----a-w-    c:\windows\system32\drivers\aswmon2.sys
2011-03-23 14:06 . 2011-02-23 13:55    96344    ----a-w-    c:\windows\system32\drivers\aswmon.sys
2011-03-23 14:05 . 2011-02-23 13:54    30680    ----a-w-    c:\windows\system32\drivers\aavmker4.sys
2011-03-23 14:05 . 2011-02-23 14:04    40648    ----a-w-    c:\windows\avastSS.scr
2011-03-23 14:05 . 2011-02-23 14:04    190016    ----a-w-    c:\windows\system32\aswBoot.exe
2011-03-23 13:44 . 2011-03-23 13:44    --------    d-----w-    c:\windows\system32\wbem\Repository
2011-03-23 13:23 . 2011-04-07 13:45    --------    d-----w-    c:\documents and settings\Eric DeYoung\Application Data\Sammsoft
2011-03-22 21:17 . 2011-03-23 13:43    --------    d-----w-    c:\program files\Microsoft Silverlight
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-05 13:16 . 2010-10-18 13:10    14744    ----a-w-    c:\documents and settings\Eric DeYoung\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2011-04-01 13:36 . 2005-08-16 09:18    502272    ----a-w-    c:\windows\system32\winlogon.exe
2011-02-04 23:48 . 2005-08-16 09:18    456192    ----a-w-    c:\windows\system32\encdec.dll
2011-02-04 23:48 . 2005-08-16 09:18    291840    ----a-w-    c:\windows\system32\sbe.dll
2009-04-11 16:02 . 2009-04-11 16:02    21068096    ----a-w-    c:\program files\FTBDL.exe
2011-03-18 17:53 . 2011-03-25 19:39    142296    ----a-w-    c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
.
[-] 2011-04-01 . A20FF80DCB922455C2387A68ABE9F7B8 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-02-23 14:04    122512    ----a-w-    c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-10 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-10-14 98304]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-02-23 3451496]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-10-14 24576]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [3/23/2011 9:06 AM 371544]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [3/23/2011 9:06 AM 301528]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [3/23/2011 9:06 AM 19544]
S1 aysavaxx;aysavaxx;\??\c:\windows\system32\drivers\aysavaxx.sys --> c:\windows\system32\drivers\aysavaxx.sys [?]
S1 dycihimh;dycihimh;\??\c:\windows\system32\drivers\dycihimh.sys --> c:\windows\system32\drivers\dycihimh.sys [?]
S1 gskrdqwk;gskrdqwk;\??\c:\windows\system32\drivers\gskrdqwk.sys --> c:\windows\system32\drivers\gskrdqwk.sys [?]
S1 hgcqpgrl;hgcqpgrl;\??\c:\windows\system32\drivers\hgcqpgrl.sys --> c:\windows\system32\drivers\hgcqpgrl.sys [?]
S1 htzwckvw;htzwckvw;\??\c:\windows\system32\drivers\htzwckvw.sys --> c:\windows\system32\drivers\htzwckvw.sys [?]
S1 ixthvmwc;ixthvmwc;\??\c:\windows\system32\drivers\ixthvmwc.sys --> c:\windows\system32\drivers\ixthvmwc.sys [?]
S1 kimezjsp;kimezjsp;\??\c:\windows\system32\drivers\kimezjsp.sys --> c:\windows\system32\drivers\kimezjsp.sys [?]
S1 lftjhcsc;lftjhcsc;\??\c:\windows\system32\drivers\lftjhcsc.sys --> c:\windows\system32\drivers\lftjhcsc.sys [?]
S1 njmctyra;njmctyra;\??\c:\windows\system32\drivers\njmctyra.sys --> c:\windows\system32\drivers\njmctyra.sys [?]
S1 nraokdhg;nraokdhg;\??\c:\windows\system32\drivers\nraokdhg.sys --> c:\windows\system32\drivers\nraokdhg.sys [?]
S1 nzjfxqjs;nzjfxqjs;\??\c:\windows\system32\drivers\nzjfxqjs.sys --> c:\windows\system32\drivers\nzjfxqjs.sys [?]
S1 obfvlddf;obfvlddf;\??\c:\windows\system32\drivers\obfvlddf.sys --> c:\windows\system32\drivers\obfvlddf.sys [?]
S1 pqpsozec;pqpsozec;\??\c:\windows\system32\drivers\pqpsozec.sys --> c:\windows\system32\drivers\pqpsozec.sys [?]
S1 qgffakcw;qgffakcw;\??\c:\windows\system32\drivers\qgffakcw.sys --> c:\windows\system32\drivers\qgffakcw.sys [?]
S1 rnhetqzs;rnhetqzs;\??\c:\windows\system32\drivers\rnhetqzs.sys --> c:\windows\system32\drivers\rnhetqzs.sys [?]
S1 sctxshpc;sctxshpc;\??\c:\windows\system32\drivers\sctxshpc.sys --> c:\windows\system32\drivers\sctxshpc.sys [?]
S1 sparyilh;sparyilh;\??\c:\windows\system32\drivers\sparyilh.sys --> c:\windows\system32\drivers\sparyilh.sys [?]
S1 tmvmfdhb;tmvmfdhb;\??\c:\windows\system32\drivers\tmvmfdhb.sys --> c:\windows\system32\drivers\tmvmfdhb.sys [?]
S1 tmywegcr;tmywegcr;\??\c:\windows\system32\drivers\tmywegcr.sys --> c:\windows\system32\drivers\tmywegcr.sys [?]
S1 vajeveck;vajeveck;\??\c:\windows\system32\drivers\vajeveck.sys --> c:\windows\system32\drivers\vajeveck.sys [?]
S1 vehhyiet;vehhyiet;\??\c:\windows\system32\drivers\vehhyiet.sys --> c:\windows\system32\drivers\vehhyiet.sys [?]
S2 gupdate1c98a12e8536556;Google Update Service (gupdate1c98a12e8536556);c:\program files\Google\Update\GoogleUpdate.exe [2/8/2009 12:30 PM 133104]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-06 14:54]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 17:30]
.
2011-04-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-08 17:30]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://us.mg5.mail.yahoo.com/dc/launch?.gx=1&.rand=22iueibg12q0v
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/?fr=fp-yma3
uInternet Settings,ProxyOverride =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Eric DeYoung\Application Data\Mozilla\Firefox\Profiles\518xzb96.default\
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-ModemOnHold - c:\program files\NetWaiting\netWaiting.exe
HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
HKCU-Run-Search Protection - c:\program files\Yahoo!\Search Protection\SearchProtection.exe
HKLM-Run-Microsoft Works Update Detection - c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-07 09:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10m_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\stsystra.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-04-07  09:06:11 - machine was rebooted
ComboFix-quarantined-files.txt  2011-04-07 14:06
.
Pre-Run: 44,271,521,792 bytes free
Post-Run: 44,328,632,320 bytes free
.
- - End Of File - - D4DF57D36DC19EC9E42D754EFFC83021

Hi,

Please let me know, do you have your Windows Installation disk.

Thanks.

Yes I do.

Hi,

Please go to Virus Total where you will see a browse button in the middle of the screen.

• Click the Browse button
• Locate the following file(s)

c:\windows\system32\drivers\gskrdqwk.sys
c:\windows\system32\drivers\nzjfxqjs.sys
c:\windows\system32\drivers\tmywegcr.sys

• Click Send File
• Post Reports back to this thread

Note: you may need to show hidden files to locate the files requested:

Please open any Windows Explorer window such as "My Computer" or "My Documents", any will do.

• Please click Tools on the top menu bar and then click Folder Option
• Then in the Folder option window click the View tab
• Put a checkmark in the checkbox labeled Display the contents of system folders
• Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders"
• Remove the checkmark from the checkbox labeled "Hide file extensions for known file type"
• Remove the checkmark from the checkbox labeled "Hide protected operating system files"
• Then please click Apply and then click OK
• you can now close all Windows Explorer windows until you are back at the Desktop.

Remember to hide hidden files/folders by reversing the action when you have finished

Please post the three VT reports back for review.

Thanks.

Hi,

I followed all the directions for showing the system files, but I can't find any of the 3 files mentioned above.I got an email about running Secunia, but I noticed that it wasn't in this thread - I was supposed to do that, right? I downloaded all the updates Secunia found, but when I ran Secunia again, it detected all the same updates again as if I hadn't installed them.

Hi,

The Secunia instructions were for someone else, I posted them to the wrong thread first, not to worry, no harm would have been done.

Insert your XP disc then reboot your machine and when the manafacture splash screen first shows up hit F2 (may be another F key) to take you into BIOS, use the arrow keys to navigate to boot options and make sure your DVD drive is at the top of the boot list. This is normally done by using the plus (+) and minus (-) keys to move a boot drive up and down.
Navigate to exit and be sure to sroll down to EXIT and SAVE changes

NOTE: The above instructions may differ slightly depending on your system and manufacture

Your machine will now reboot, watch the screen and when prompted to Press any key to boot from CD/DVD, please do so.

Give the machine some time to boot from the disc and on the first options screen once the disc's files have loaded, choose the second option, Repair, by hitting the R button.
You will the be asked to pick a Harddrive partition to repair, this is normally C:\, you will need to type the number next to your main boot drive and hit enter.
If you are asked for a administrator password please enter it or just press enter if you do not have one.
You will now be presented with a command prompt. C:\WINDOWS>_ (the underscore is where you need to start typing)

Please type the following and hit enter:

map

This command will bring up a list of your drives, you need to look for the CD/DVD drive which will be listed like this, D: \Device\CdRom0
In this case D: is the disc drive so we will use that as the example.

IF YOUR DISC DRIVE IS NOT "D:" THEN REPLACE THE "D" IN THE NEXT COMMANDS WITH WHAT EVER YOUR DISC DRIVE IS LISTED UNDER, FAILURE TO FOLLOW THIS WILL RESULT IN THIS NOT WORKING HOW IT SHOULD

Type the following bolded command exactly as it is typed below, replacing “D:” with your CD drive letter.

copy d:\i386\winlogon.ex_ c:\windows\system32 (note the space between "copy" and "d" and also between "_" and "C:") hit enter

You may then be asked "do you want to over write above file" type "Y" and hit enter

You should see the message “1 file(s) copied.” – this means it worked.

Then type EXIT at the command prompt and hit enter

The machine will now reboot, DO NOT hit any keys when prompted just let it boot as normal and then take your disc out.

Once back in normal Windows mode, please permanently disable Avast and then run Combofix again, If Combofix prompts for an update, please allow it to do so.

Please post the fresh Combofix log back for review.

Thanks.