Can't run virus/spyware/adware scans, Firefox, IE, etc.

I've delted all the gey******** files, managed to do that Saturday. Looks like it's something else. With running the script, don't you use cscript, as the FAQ on the Silent Running site says? Avenger, is that something else?

I found a file in D:\WINDOWS\system32, called qmgr.dll. I looked back at the first Combo-Fix scan I did last Thurssday. It didn't finish, closed after 30secs or so, but it did post the following log:

ComboFix 09-09-09.04 - mig 10/09/2009 19:06.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.243 [GMT 9:00]
Running from: c:\combo-fix\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1659004503-796845957-725345543-1003
c:\recycler\S-1-5-21-854245398-1935655697-1801674531-1003
C:\smp.bat
c:\windows\atualmenteo.dll
c:\windows\iexplorer.exe
c:\windows\system\KEYBOARD1.DRV

c:\windows\system32\qmgr.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2009-08-10 to 2009-09-10 )))))))))))))))))))))))))))))))
.

2009-09-10 09:08 . 2009-09-10 09:08 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-09-10 09:08 . 2009-09-10 09:09 -------- d-----w- C:\warhor
2009-09-10 09:08 . 2009-09-10 09:08 -------- d-----w- c:\documents and settings\mig\Application Data\SUPERAntiSpyware.com
2009-09-10 09:04 . 2009-09-10 09:04 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-09-10 04:36 . 2009-09-10 04:36 -------- d-----w- c:\documents and settings\mig\Application Data\Malwarebytes
2009-09-10 04:36 . 2009-08-03 04:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 04:36 . 2009-09-10 04:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-10 04:36 . 2009-08-03 04:36 18456 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-10 04:35 . 2009-09-10 09:07 -------- d-----w- C:\heyho
2009-09-08 12:37 . 2002-08-28 16:32 56832 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2002-08-20 1511453]
"SUPERAntiSpyware"="c:\warhor\warhor\SUPERAntiSpyware.exe" [2009-09-04 1994480]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2002-08-29 13312]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\warhor\warhor\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 06:21 548352 ----a-w- c:\warhor\warhor\SASWINLO.dll

R1 SASDIFSV;SASDIFSV;c:\warhor\warhor\sasdifsv.sys [4/09/2009 2:50 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\warhor\warhor\SASKUTIL.SYS [4/09/2009 2:49 PM 74480]
R3 SASENUM;SASENUM;c:\warhor\warhor\SASENUM.SYS [4/09/2009 2:50 PM 7408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.westnet.com.au/
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
TCP: {8C037449-ED60-44E7-987E-C2AE22790ED3} = 203.21.20.20,203.10.1.9
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-10 19:10
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(672)
c:\windows\System32\ODBC32.dll
c:\warhor\warhor\SASWINLO.dll

- - - - - - - > 'lsass.exe'(728)
c:\windows\System32\dssenh.dll

- - - - - - - > 'explorer.exe'(956)
c:\windows\System32\msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-09-10 19:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-10 10:11

Pre-Run: 231,311,360 bytes free
Post-Run: 210,669,568 bytes free

93



It says that qmgr.dll is infected. I tried deleting it, can't and will try in safemode. Is it better to startup in Safemode or Safemode with Networking?

 

Run GMER again 1 check box at a time and paste here. See how far you can get with it now. And The Avenger is something else than SilentRunners

Wish we could chat faster like through messenger so we could try to figure this out faster.

 

There are plenty of posts by others who needed help that 2oldgeek helped fix,find any of those threads will give you some idea of how to go about at least getting your comp to a usable standard.


below is a link for a free live cd that is for fixing virus infected computers,i have never used it however PCMech recommends it so it's safe to assume it's legit

http://www.freedrweb.com/cureit/?lng=en

Personally i'd save any data & reformat,if you can't boot or the virus makes things awkward then place the hdd in an external housing & get any data you need that way,coz you'll more than likely find once infected & even if you repair it,things just won't work the same.

Next some freebies so it don't happen again unless your stupid,these 3 should solve any future problems,unless you install crap without scanning it first,all three are free & realtime scanners

Spywareterminater with HIPS enabled
Avast antivirus
comodo firewall

 

I had searched the forum here and none of the information on the other few threads about the same sort of infection worked for me. Malwarebytes' Anti-Malware looked like it would work, but like the other programs explained,it too didn't scan and then was inaccessible.

Chances are I will do a reinstall of XP, because the little issues left on my computer (like not being able to unblock IE, ComboFix and still not being able to scan with AVG Free Antivirus)

 

Another way to retrieve data if an external housing & another computer are unavailable is to install linux to any free space,something like ubuntu as it can install automatically for you,it's free as is kubuntu & puppy linux there are many other free linux OS's available,all can be viewed at distro watch

 

I am busy with work as well as family, but really spending all of my spare time here (got a pretty bad headache after a week on this).


First GMer scan - System

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 17:34:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF6908FC0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF6905C80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateKey [0xF6920170]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF6909580]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xF691D900]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xF691DB10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateSection [0xF6921B10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF6909670]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF6906210]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xF69209F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xF69207A0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xF691D280]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey [0xF6920F10]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF6920F90]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF6906070]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xF691F180]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwOpenThread [0xF691EF40]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF69216F0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xF6921150]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF6908BE0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xF6921540]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xF6909190]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF6906440]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xF69204E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xF691E200]
SSDT \??\D:\Download Programs\Downloadcom programs\SUPERAntiSpyware\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xEE19C0B0]

---- EOF - GMER 1.0.15 ----




Next - Section

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 18:03:32
Windows 5.1.2600 Service Pack 2


---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [80, 95, 90, F6, 00, D9, 91, ...]
.text ntoskrnl.exe!_abnormal_termination + 1D5 804E2831 7 Bytes [0F, 92, F6, 90, 0F, 92, F6] {SETB DH; NOP ; SETB DH}
? srescan.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text D:\Program Files\MSN Messenger\MsnMsgr.Exe[1888] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes JMP 004DE392 D:\Program Files\MSN Messenger\MsnMsgr.Exe (Messenger/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




Next - IAT/EAT

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 19:05:21
Windows 5.1.2600 Service Pack 2


---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F6926B30] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F690DB20] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F690BE90] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F690E260] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F690D930] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F6906980] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F69068D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F6906A80] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F69065E0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

---- User IAT/EAT - GMER 1.0.15 ----

IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 0133BCA0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 0133BC50
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01337EA0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 01339100
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0133AA10
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01339370
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01339180
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0133A010
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0133B950
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0133B990
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 0133BD30
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0133B810
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0133A970
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01339930
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 013392E0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01339660
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 0133C2B0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0133A360
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0133A7D0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0133AE90
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0133AC20
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0133AE10
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0133B2F0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0133B000
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01339250
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 013397E0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0133BA70
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0133AD60
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0133A910
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0133A790
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0133AB20
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 0133BD50
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0133AB60
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 0133BFF0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 0133BF90
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 0133C1E0
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 0133C280
IAT D:\Registry Mechanic\RegMech.exe[1884] @ D:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 0133C0B0

---- EOF - GMER 1.0.15 ----




Next - Devices

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 19:06:27
Windows 5.1.2600 Service Pack 2


---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Check Point Software Technologies LTD)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----




Next - Modules

NOTHING



Next - Processes

NOTHING




Next - Threads

NOTHING




Next - Libraries

NOTHING




Next - Services

NOTHING



Next - Registry

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net
Rootkit scan 2009-09-14 19:16:02
Windows 5.1.2600 Service Pack 2


---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----




Next - Files (AFTER A LONG, 8 HOUR SCAN)

NOTHING





Also, the following documents/files appeared on my D:\ drive (the largest partition and the one that is infected and I always use)
- $AVG8.VAULT$ (I am sure this is related to AVG Free Antivirus, but never appeared there before)
- 32788R22FWJFW (This has to do with Combo-Fix,so maybe that's to be expected
- Avenger (this document appeared after the first time I used Malwarebytes' Anti-Malware and it is empty, nothing in it at all, even hidden files)
- WUTemp (Also appeared Thursday)
- Qoobox (Appeared yesterday morning)
- Bug.txt (Looks like related to Combo-Fix and the first scan with it)
- Start_ (Windows NT Command Script according to properties)(Created Thursday, Modified last night so about 24 hours ago)(size 322bytes,so very small)

Also, I can no longer connect to peers properly with utorrent. I have forwarded the port well and since Friday, utorrent says that I have a port forwarding problem. It has to be the infection that has changed something, as I use a program called PFPortChecker and it tells you whether the port is in fact properly forwarded


Also, do you know how to save and copy Firefox bookmarks, where the bookmarks file or folder is located. I need this so I can copy that to another hard drive so I can then place back in firefox after reinstalling XP, which I'll be ding tonight, in about eight hours or so

 

That's weird that it came up as NOTHING for a few scans, like Processes/services.

Anyways does it let you download/save a fresh copy of Hijackthis? IF you can get that scan you can probably fix most the problems.

Also did you ever delete the folders C:\Warhor and C:\Heyho?

Would be horrible to reformat after getting rid of most of the malware already.

But bookmarks for firefox I believe are:

C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\PROFILENAME\Bookmarks.html



NEXT:

To get Internet Explorer working do that Security Tab permissions thing in the main folder where Internet Explorer is stored.

C:\Program Files\Internet Explorer\Iexplore.exe

Right click properties, security tab, edit, Uncheck the Deny Access under Everyone, and set full control to your user name.

Click OK, click advanced, owner tab, edit, click your name, click apply, ok.

But probably shouldn't launch it right away in case it takes you to the site that gave you the Malware in the first place.


If you still can't run Hijackthis. Get a list of services by a screenshot or something so we can see if any are malicious and should be disabled.

To access services:

Click start > Run > type services.msc, press enter.


If we figure out which ones to disable, if any, then it might let you run scans that show details of the malware files so you can remove it completely.

 

I downloaded and installed HiJackThis this morning,under a different name, and it scanned completely. The log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:22:51 AM, on 16/09/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
D:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Brother\ControlCenter3\brccMCtl.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Registry Mechanic\RegMech.exe
D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
D:\Download Programs\Downloadcom programs\Taskbar shuffle\Taskbar Shuffle\taskbarshuffle.exe
D:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Download Programs\Firefox\Mozilla Firefox\firefox.exe
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\system32\ntvdm.exe
D:\PROGRA~1\AVG\AVG8\avgnsx.exe
D:\Program Files\AVG\AVG8\avgupd.exe
D:\Download Programs\Downloadcom programs\HoHo\HoHo\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.westnet.com.au/
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - D:\Program Files\AskBarDis\bar\bin\askBar1.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - D:\Download Programs\Downloadcom programs\KeyScrambler\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - D:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - D:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: ZoneAlarm Spy Blocker Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - D:\Program Files\AskBarDis\bar\bin\askBar1.dll
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] D:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] D:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] D:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] D:\Program Files\Brother\Brmfl06a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter3] D:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Adobe\Reader 9.0 Only\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ZoneAlarm Client] "D:\Download Programs\Downloadcom programs\ZoneAlarm 8.0.065\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RegistryMechanic] D:\Registry Mechanic\RegMech.exe /H
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Taskbar Shuffle] D:\Download Programs\Downloadcom programs\Taskbar shuffle\Taskbar Shuffle\taskbarshuffle.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [RegistryMechanic] D:\Registry Mechanic\RegMech.exe /H (User '?')
O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-1659004503-796845957-725345543-1003\..\Run: [Taskbar Shuffle] D:\Download Programs\Downloadcom programs\Taskbar shuffle\Taskbar Shuffle\taskbarshuffle.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-1659004503-796845957-725345543-1003 Startup: Acrobat Assistant.lnk = F:\Adobe\Adobe Acrobat 6\Adobe Acrobat 6.0 Professional\Acrobat 6.0\Distillr\acrotray.exe (User '?')
O4 - S-1-5-21-1659004503-796845957-725345543-1003 Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User '?')
O4 - S-1-5-21-1659004503-796845957-725345543-1003 Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE (User '?')
O4 - Startup: Acrobat Assistant.lnk = F:\Adobe\Adobe Acrobat 6\Adobe Acrobat 6.0 Professional\Acrobat 6.0\Distillr\acrotray.exe
O4 - Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - D:\Download Programs\Download Accelerator\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - D:\Download Programs\Download Accelerator\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\Download Programs\Download Accelerator\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\Download Programs\Downloadcom programs\KeyScrambler\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - D:\Download Programs\Downloadcom programs\KeyScrambler\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1195576713921
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.putfile.com/includes/ImageUploader4-5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BFF8A205-FEDC-457C-B0BE-77D5922B9C8E}: NameServer = 203.21.20.20,203.10.1.9
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - D:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - Winlogon Notify: !SASWinLogon - D:\Download Programs\Downloadcom programs\SUPERAntiSpyware\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - D:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - D:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - D:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Windows Display Manager (Windows Display Driver Manager) - Unknown owner - D:\Program Files\Common Files\System\Nvcpl.exe (file missing)

--
End of file - 10388 bytes



Also, I'm not able to delete the other HiJackThis "install" .exe file, the first HiJackThis I got a week ago. It says access is denied,so I can't use it or delete it.


But bookmarks for firefox I believe are:

C:\Documents and Settings\USERNAME\Application Data\Mozilla\Firefox\Profiles\PROFILENAME\Bookmarks.html


NEXT:

To get Internet Explorer working do that Security Tab permissions thing in the main folder where Internet Explorer is stored.

C:\Program Files\Internet Explorer\Iexplore.exe

Right click properties, security tab, edit, Uncheck the Deny Access under Everyone, and set full control to your user name.

Click OK, click advanced, owner tab, edit, click your name, click apply, ok.

As for firefox bookmarks, the Bookmarks.html file opens in firefox and takes me to a help site for using firefox. Alternatively it can be open in notepad, but it is not really readable. If I copy that file to another hardrive and then place it in the same folder after I reinstall XP Pro and then firefox, would that then make all the bookmarks appear in firefox again?

As for unblocking IE - I right click the Internet Explorer.exe file, but there is no "Security Tab". What there is is "General", "Program", "Font", "Memory", "Misc", "Screen" and "Compatibility". Unlike with the other programs I could unblock,there is no selection allowing me to unblock, so I am unable to do anything.

Also, and still the most baffling and irritating of all the problems left, is the fact that my router seems to have been affected as well. utorrent says that the ports I forwarded (over a month ago and everything was well) are not available or forwarded properly.I checke my router settings and all is well and the same as before. I am not using a firewall either right now, so not sure what is going on there.


If you can please have a look at the problems I still have and the HiJackThis log and see if you can help, it would be much appreciated.

Thanks heaps for your help, it is real nice of you, but it does look like the only safe way is to reinstall XP Pro

 

My last idea is to try using Dr Web Cureit. Scan for problems and see what happens. Also scan using Registry Mechanic which is on your computer to see if that can repair any problems. And then run Combofix again.

I am sorry your computer still has some problems, but if you have the data backed up and Windows Installation Disks, I would reformat Windows as a safer choice, Though it looks like most of it is gone already.

Is Iexplore.exe using the extension .exe?

Are any newly installed programs still being blocked? You can repair internet explorer and remove any other access denied files and get them again.

Any other problems other than access denied errors and Utorrent problems? You may have got the Malware from a torrent file in the first place.

Good luck and post back what you end up doing, log scans if you ran them all again, etc.

In Internet explorer it shows you have toolbars Browser Helper Objects. They are not malicious, but if you don't use them you won't need them installed and can remove them with uninstall manager and cleanup any remaining files using hijackthis.

 

Thanks a heap, very much appreciated. I will reinstall XP tomorrow. This forum really does have some knowledgeable people and that makes solving problems so much easier

 

Windows Vista Home Premuim SP1
Memory 2.50 GB
32 Bit Operating System
Intel Core 1.86 GHz

Just looking for some advice basically.
I have noticed some strange behaviour from my PC lately as it has started running very slow at times and this really is the first time this has happened since I bought the system back in 2007 I have also opened the pc and hoovered all the dust away but this hasn't really improved things and very recently my keyboard has altered as in my @ symbol has to be made by holding shift + 2 and it was never like this before which leads me to believe I have some sort of virus and so does the fact that on some websites the text appears bold in places and normal in others which is clearly not normal behaviour, I have performed a scan and given a log below only I don't understand it and can't work out if there is anything suspicious.
I appreciate any help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:13, on 01/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\Program Files\Intel\LDCM\Bin\LDCMSync.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\O2\bin\sprtcmd.exe
C:\Program Files\NoAdware\NoAdware5.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\RelevantKnowledge\rlvknlg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Vuze\Azureus.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [LDCMSync] C:\Program Files\Intel\LDCM\Bin\LDCMSync.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [O2] "C:\Program Files\O2\bin\sprtcmd.exe" /P O2
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [NoAdware5] "C:\Program Files\NoAdware\NoAdware5.exe" :Min:
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.broadband.o2.co.uk
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: ASKService - Unknown owner - C:\Program Files\AskBarDis\bar\bin\AskService.exe
O23 - Service: ASKUpgrade - Unknown owner - C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel Bootstrap Agent - Intel Corporation - C:\Program Files\Intel\BootStrap Agent\Bsa.exe
O23 - Service: Intel CI Manager - Intel(R) Corporation - C:\Program Files\Intel\LDCM\ci\cimgr\CiMgrLdr.exe
O23 - Service: Intel IIDS - Intel(R) Corporation - C:\Program Files\Intel\LDCM\bin\IIDS.exe
O23 - Service: Intel SSM - Intel(R) Corporation - C:\Program Files\Intel\LDCM\bin\ssm.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: RelevantKnowledge - TMRG, Inc. - C:\Program Files\RelevantKnowledge\rlservice.exe
O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShowGold\ScsiAccess.exe
O23 - Service: SupportSoft Sprocket Service (O2) (sprtsvc_O2) - SupportSoft, Inc. - C:\Program Files\O2\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: win32sl - Smart Technology Enablers - C:\Program Files\Intel\DMI\BIN\WIN32SL.EXE

--
End of file - 7351 bytes

I have not deleted anything from this scan as I wanted a knowledgeable opinion first.

Thankyou.