I'm not too sure what's going on with my computer. I logged on a few days ago and a few pop-ups from "Windows Police Pro" popped up, so I ran the usual "Malwarebytes","SuperAnti Spyware" and scanned with "IObit 360 Security". The pop ups stopped and everything was fine. A day later I log on and my windows explorer was gone along with my desktop icons and any time i try to run any of my antivirus programs they close themselves in a matter of seconds.
The only thing I can do is navigate around with task manager and open Firefox.

---I did manage to get Malwarebytes to run.

Here are fresh logs of HJT and MBAM.

Thank you for your time.

A. Grant


Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 2

10/17/2009 6:03:11 PM
mbam-log-2009-10-17 (18-03-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 411278
Time elapsed: 1 hour(s), 39 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\giwawawo.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\dasejaru.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\dijuzihi.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir (Trojan.Sirefef) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\forukabe.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\refobaju.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\remebeyi.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\gogihuho.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\huhugafe.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\isasdk.sys.vir (Backdoor.Bot) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\kedisuzo.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\kejepuha.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\konowahu.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\luyeduje.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\MSINET.oca.vir (Malware.Trace) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\SKYNETesisvtmp.dll.vir (Rootkit.TDSS) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\SKYNETftnxvkpd.dll.vir (Rootkit.TDSS) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\SKYNETmitgggyw.dll.vir (Rootkit.TDSS) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\SKYNETrcjpibmi.dll.vir (Trojan.FakeAlert) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\wujuleza.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\yekotosu.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\yozekute.dll.vir (Trojan.Vundo) -> No action taken.
C:\QooBox\Quarantine\C\WINDOWS\system32\zehekilo.dll.vir (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LUVS1QF\logo[1].htm (Trojan.Vundo) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:47 PM, on 10/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Ray Adams\ATI Tray Tools\atitray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\SypherX\Computer Info Software\procexp.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivguardian.com
O1 - Hosts: 94.232.248.66 www.antivguardian.com
O2 - BHO: (no name) - {ad2c2290-be52-4728-a5c3-d8b4d0851675} - wujuleza.dll (file missing)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [PSPVideoConverter_upgrade] "C:\Program Files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" /upgrade
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IObit Security 360] C:\Program Files\IObit\IObit Security 360\IS360tray.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF4682.exe /c C:\ComboFix\Combobatch.bat
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "N:\Malwarebytes' Anti-Malware\zzasa.exe" /runcleanupscript
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [scheduler_monitor] C:\Program Files\ReaConverter 5.5 Pro\init_scheduler.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] N:\SUPERAntiSpyware.exe
O4 - Startup: HDDTempNet-warning.lnk = C:\Program Files\PalickSoft\HDD Temperature Enterprise\Warning.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: Neverwinter Nights Registration.lnk = C:\NeverwinterNights\NWN\ereg\ATR1.EXE
O4 - Startup: PSPdisp.lnk = C:\Program Files\PSPdisp\bin\app\PSPdisp.exe
O4 - Global Startup: BDARemote.lnk = ?
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Install Pending Files.LNK = C:\Program Files\SIFXINST\SIFXINST.EXE
O4 - Global Startup: McAfee Security Scan.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lspqxy.dll' missing
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {2019DC25-D1C0-11D6-97B3-0008A124F542} - http://www.streamplug.com/StreamPlug/beta/SP.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_v1004 Class) - http://holic.netgame.com/launch/object/mglaunch_USAv1004.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
O16 - DPF: {BD08A9D5-0E5C-4F42-99A3-C0CB5E860557} (CSolidBrowserObj Object) - http://www.solidstatenetworks.com/demos/pl...lidstateion.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4E709758-3F9A-409C-9E32-8912A721E9D2}: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: !SASWinLogon - N:\SASWINLO.dll
O20 - Winlogon Notify: pmnmmNhF - pmnmmNhF.dll (file missing)
O21 - SSODL: puferadod - {d3db0d13-be4e-428a-a5cb-12d8b00cb9a5} - (no file)
O21 - SSODL: vofaribay - {25e3e1e3-daaf-420b-8d6f-02f57ec7d0b8} - (no file)
O21 - SSODL: yuwimivuv - {48ba8d8c-2237-4324-b50e-e3ce7093a182} - (no file)
O21 - SSODL: pazesawof - {ce7e8964-ebb1-4cdc-ad03-d8392fbfbe44} - (no file)
O21 - SSODL: kutubaduv - {36f1a11d-5ade-40c4-9ae4-33143a10d182} - (no file)
O21 - SSODL: yimobunej - {10dc079c-9224-4ba1-99b8-23b2ad3a691e} - (no file)
O21 - SSODL: fimakodur - {a95a2358-feb9-4df7-9cee-6a17f3c5dc8a} - (no file)
O21 - SSODL: yuwudagat - {7ef22fb4-d8ce-4775-88cd-56b05fad62e5} - (no file)
O21 - SSODL: dokihehih - {86bcaf1f-ba04-4679-99e9-13ea47ce8d1e} - (no file)
O21 - SSODL: nuravujas - {358dfbf5-88e9-4bf6-93fb-8eddd06dc280} - (no file)
O21 - SSODL: medisobew - {bd380dff-30a7-4d0b-ada3-d31a2267928c} - (no file)
O21 - SSODL: resusijom - {7d5ee03f-06e8-4879-951c-326f42595c9a} - c:\windows\system32\refobaju.dll (file missing)
O21 - SSODL: peyujosef - {a0dadd45-a590-404d-b9e6-c56fc3e09245} - c:\windows\system32\giwawawo.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {7d5ee03f-06e8-4879-951c-326f42595c9a} - c:\windows\system32\refobaju.dll (file missing)
O22 - SharedTaskScheduler: mujuzedij - {a0dadd45-a590-404d-b9e6-c56fc3e09245} - c:\windows\system32\giwawawo.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HDD Temperature Enterprise Server (HDDTempNetServer) - Unknown owner - C:\Program Files\PalickSoft\HDD Temperature Enterprise\HDDNetTempServer.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: IS360service - IObit - C:\Program Files\IObit\IObit Security 360\IS360srv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: Desktop (Service_Desktop) - Unknown owner - C:\Program Files\Free-Soft\Virtual Desktop\Desktop.exe (file missing)

--
End of file - 10412 bytes

Welcome to SAF, Agrantstl.

Can you post the ComboFix log (C:\Combofix.txt).

Heres a Combofix log.

Thank you again.

ComboFix 09-10-16.09 - Owner 10/18/2009 0:21.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.603 [GMT -5:00]
Running from: N:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Xilisoft\Audio Converter\lang\_desktop.ini
c:\program files\Xilisoft\Audio Converter\Plugins\_desktop.ini
c:\program files\Xilisoft\Audio Converter\skin\Default\_desktop.ini
c:\windows\Install.txt
c:\windows\system32\bakefuni.dll
c:\windows\system32\Drivers\yezzejmo.sys
c:\windows\system32\Install.txt
c:\windows\system32\kilatape.dll
c:\windows\system32\mejiyolo.exe
c:\windows\system32\schtml
c:\windows\system32\schtml\images\i1.gif
c:\windows\system32\schtml\images\i2.gif
c:\windows\system32\schtml\images\i3.gif
c:\windows\system32\schtml\images\j1.gif
c:\windows\system32\schtml\images\j2.gif
c:\windows\system32\schtml\images\j3.gif
c:\windows\system32\schtml\images\jj1.gif
c:\windows\system32\schtml\images\jj2.gif
c:\windows\system32\schtml\images\jj3.gif
c:\windows\system32\schtml\images\l1.gif
c:\windows\system32\schtml\images\l2.gif
c:\windows\system32\schtml\images\l3.gif
c:\windows\system32\schtml\images\pix.gif
c:\windows\system32\schtml\images\t1.gif
c:\windows\system32\schtml\images\t2.gif
c:\windows\system32\schtml\images\up1.gif
c:\windows\system32\schtml\images\up2.gif
c:\windows\system32\schtml\images\w1.gif
c:\windows\system32\schtml\images\w11.gif
c:\windows\system32\schtml\images\w2.gif
c:\windows\system32\schtml\images\w3.gif
c:\windows\system32\schtml\images\w3.jpg
c:\windows\system32\schtml\images\wt1.gif
c:\windows\system32\schtml\images\wt2.gif
c:\windows\system32\schtml\images\wt3.gif
c:\windows\system32\schtml\wispex.html
c:\windows\system32\vahoremo.exe
c:\windows\system32\yasijote.exe
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\autorun.inf
c:\program files\Need2Find
c:\program files\Need2Find\bar\History\search
c:\program files\WinPCap
c:\program files\WinPCap\rpcapd.exe
c:\temp\vtmp2
c:\temp\vtmp2\ktnv33.log
c:\windows\ctions.dll
c:\windows\Install.txt
c:\windows\Installer\3cb8e.msi
c:\windows\Installer\57292ec.msi
c:\windows\Installer\57292ed.msp
c:\windows\Installer\57292ee.msp
c:\windows\Installer\57292ef.msp
c:\windows\Installer\57292f0.msp
c:\windows\Installer\57292f1.msp
c:\windows\Installer\57292f2.msp
c:\windows\Installer\57292f3.msp
c:\windows\Installer\57292f4.msp
c:\windows\Installer\57292f5.msp
c:\windows\Installer\57292f6.msp
c:\windows\kb913800.exe
c:\windows\strictions.dll
c:\windows\system32\ahoyuwad.ini
c:\windows\system32\dasejaru.dll
c:\windows\system32\dijuzihi.dll
c:\windows\system32\dl32.exe
c:\windows\system32\drivers\npf.sys
c:\windows\system32\drivers\SKYNETwjaakoeh.sys
c:\windows\system32\drivers\UACpixrownv.sys
c:\windows\system32\FInstall.sys
c:\windows\system32\forukabe.dll
c:\windows\system32\giwawawo.dll
c:\windows\system32\gogihuho.dll
c:\windows\system32\hljwugsf.bin
c:\windows\system32\huhugafe.dll
c:\windows\system32\Install.txt
c:\windows\system32\isasdk.sys
c:\windows\system32\kedisuzo.dll
c:\windows\system32\kejepuha.dll
c:\windows\system32\konowahu.dll
c:\windows\system32\lspqxy.dll
c:\windows\system32\luyeduje.dll
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\refobaju.dll
c:\windows\system32\remebeyi.dll
c:\windows\system32\s9sfsa.exe
c:\windows\system32\SKYNETesisvtmp.dll
c:\windows\system32\SKYNETftnxvkpd.dll
c:\windows\system32\SKYNETipfwoscp.dll
c:\windows\system32\SKYNETmitgggyw.dll
c:\windows\system32\SKYNETqskltdhy.dat
c:\windows\system32\SKYNETqvdkrjlk.dat
c:\windows\system32\SKYNETrcjpibmi.dll
c:\windows\system32\UACccrdksgd.log
c:\windows\system32\UACewftiqsa.dll
c:\windows\system32\UACogxgkday.log
c:\windows\system32\UACpcwemoyf.dll
c:\windows\system32\UACswwehwee.dll
c:\windows\system32\UACtegrfuxv.dll
c:\windows\system32\UACxblxagut.dat
c:\windows\system32\UACyrvkkhbp.log
c:\windows\system32\ufujinub.ini
c:\windows\system32\uwuvajam.ini
c:\windows\system32\WanPacket.dll
c:\windows\system32\wbem\proquota.exe
c:\windows\system32\winio.vxd
c:\windows\system32\wpcap.dll
c:\windows\system32\wujuleza.dll
c:\windows\system32\yekotosu.dll
c:\windows\system32\yozekute.dll
c:\windows\system32\zehekilo.dll
c:\windows\Tasks\jsaplbsj.job
c:\windows\TEMP\mta32910.dll
c:\windows\win32k.sys

-- Previous Run --

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe . . . is missing!!

--------

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ANTIPPRO2009_100
-------\Legacy_ISASDK
-------\Legacy_NPF
-------\Legacy_SKYNETppjoyxvi
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_isasdk
-------\Service_NPF
-------\Service_SKYNETppjoyxvi
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-12 16:18 . 2009-10-12 16:18 -------- d-----w- c:\program files\Activision
2009-10-12 16:10 . 2009-10-12 16:10 -------- d-----w- c:\program files\PowerISO
2009-10-12 15:55 . 2009-10-12 15:55 -------- d-----w- c:\program files\MagicDisc
2009-10-12 15:55 . 2009-02-24 23:42 116736 ----a-w- c:\windows\system32\drivers\mcdbus.sys
2009-10-12 06:24 . 2009-10-12 06:24 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\The Witcher
2009-10-10 08:03 . 2009-10-10 08:03 -------- d-----w- c:\windows\ServicePackFiles
2009-10-10 03:57 . 2009-10-10 03:57 -------- d-----w- c:\documents and settings\Owner\DoctorWeb
2009-10-08 22:27 . 2009-10-08 22:27 -------- d-----w- c:\program files\Sophos
2009-10-08 21:12 . 2009-10-08 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-10-08 21:12 . 2009-10-08 21:12 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-10-06 06:24 . 2008-06-19 22:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-10-06 06:24 . 2009-10-06 06:24 -------- d-----w- c:\program files\Panda Security
2009-10-06 06:15 . 2009-10-06 06:15 -------- d-----w- C:\log
2009-10-06 06:15 . 2009-08-27 21:23 2457600 ----a-w- C:\RootkitBuster.exe
2009-10-06 05:45 . 2009-10-06 06:14 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-06 05:45 . 2009-10-06 05:46 -------- d-----w- c:\documents and settings\Owner\.housecall6.6
2009-10-05 18:32 . 2009-10-05 18:32 31822 ----a-w- c:\windows\system32\stmod1.exe
2009-10-05 18:05 . 2009-10-05 22:57 102188 ----a-w- c:\windows\system32\9b2b3dbd.exe
2009-10-05 14:03 . 2009-10-05 14:03 -------- d-----w- c:\program files\Starbreeze Studios
2009-10-03 07:20 . 2009-10-03 07:20 -------- d-----w- c:\program files\Microsoft Games
2009-10-02 04:23 . 2009-10-02 04:23 -------- d-----w- c:\program files\McAfee Security Scan
2009-10-02 04:23 . 2009-10-02 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-10-02 04:23 . 2009-10-03 01:55 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-10-02 01:57 . 2009-10-02 01:57 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Ascaron Entertainment
2009-10-02 01:51 . 2009-10-02 01:51 -------- d--h--r- c:\documents and settings\Owner\Application Data\SecuROM
2009-09-28 04:27 . 2006-04-29 19:25 40960 ----a-w- c:\windows\system32\psfind.dll
2009-09-27 19:54 . 1999-12-17 15:13 86016 ----a-w- c:\windows\unvise32.exe
2009-09-25 05:47 . 2009-09-25 05:47 -------- d-----w- c:\program files\Common Files\ATI Technologies
2009-09-25 05:47 . 2009-09-27 08:22 -------- d-----w- c:\program files\DIFX
2009-09-24 23:25 . 2009-09-25 06:36 -------- d-----w- c:\program files\NCSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
3427-09-26 03:40 . 2009-05-17 06:42 77824 ----a-w- c:\windows\system32\vorbisfile.dll
2009-10-17 23:05 . 2008-05-26 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-17 18:43 . 2007-01-13 20:20 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-12 16:37 . 2009-09-06 10:35 -------- d-----w- c:\documents and settings\Owner\Application Data\Activision
2009-10-12 16:32 . 2005-10-20 19:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-10-12 16:09 . 2006-06-06 08:09 -------- d-----w- c:\documents and settings\Owner\Application Data\uTorrent
2009-10-08 21:12 . 2009-06-02 00:51 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-10-08 07:06 . 2008-05-25 23:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-06 05:21 . 2006-10-27 22:46 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-10-06 05:06 . 2006-01-26 08:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-03 01:56 . 2005-12-18 03:13 42416 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-01 23:33 . 2008-10-30 07:04 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-10-01 23:33 . 2008-10-30 07:04 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-10-01 04:42 . 2005-12-23 07:19 107888 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-09-27 22:18 . 2008-01-20 03:57 -------- d-----w- c:\program files\SystemRequirementsLab
2009-09-27 19:54 . 2009-09-13 10:18 -------- d-----w- c:\program files\Parallel Port Joystick
2009-09-25 06:34 . 2009-01-14 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-09-25 05:49 . 2005-04-13 16:56 668672 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:48 . 2005-04-13 16:55 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-25 05:12 . 2009-03-09 03:07 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-09-18 02:23 . 2006-01-07 06:23 -------- d-----w- c:\program files\World of Warcraft
2009-09-12 20:28 . 2008-02-07 06:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-11 14:33 . 2005-04-13 16:55 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-10 19:54 . 2009-07-11 05:11 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 19:53 . 2009-07-11 05:11 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-07 16:40 . 2009-09-07 16:40 42416 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-09-07 05:51 . 2009-09-07 05:50 -------- d-----w- c:\documents and settings\All Users\Application Data\ijjigame
2009-09-07 05:48 . 2009-09-07 05:48 -------- d-----w- c:\program files\ijji
2009-09-07 05:40 . 2009-09-07 05:40 -------- d-----w- c:\documents and settings\Owner\Application Data\InstallShield
2009-09-07 03:06 . 2009-09-07 03:06 -------- d-----w- c:\program files\Common Files\Futuremark Shared
2009-09-07 00:49 . 2009-09-07 00:49 -------- d-----w- c:\documents and settings\Owner\Application Data\System Requirements Lab BETA
2009-09-06 10:35 . 2009-09-06 10:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Activision
2009-09-04 20:45 . 2005-04-13 16:55 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 06:52 . 2009-08-30 06:52 -------- d-----w- c:\documents and settings\Owner\Application Data\Microsoft Games
2009-08-30 02:54 . 2007-06-22 07:21 -------- d-----w- c:\program files\PeerGuardian2
2009-08-26 08:16 . 2005-04-13 16:57 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-25 22:04 . 2009-09-07 05:51 75264 ----a-w- c:\windows\system32\uc_holybeast_launching.dll
2009-08-22 21:40 . 2009-07-17 03:40 -------- d-----w- c:\program files\Free-Soft
2009-08-21 01:13 . 2009-08-21 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2009-08-05 09:11 . 2005-04-13 16:55 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 13:58 . 2005-04-13 16:55 2136064 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 13:13 . 2004-08-04 05:59 2015744 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-29 04:53 . 2005-04-13 16:56 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-07-29 04:53 . 2005-04-13 16:55 82432 ----a-w- c:\windows\system32\fontsub.dll
2008-12-17 00:57 . 2009-01-02 01:24 942205576 ----a-w- c:\program files\data3.cab
2008-12-17 00:57 . 2009-01-02 01:24 555 ----a-w- c:\program files\layout.bin
2008-12-17 00:56 . 2009-01-02 01:22 1416036352 ----a-w- c:\program files\data2.cab
2008-12-17 00:54 . 2009-01-02 01:22 9727978 ----a-w- c:\program files\data1.cab
2008-12-17 00:54 . 2009-01-02 01:22 5460557 ----a-w- c:\program files\data1.hdr
2008-12-17 00:53 . 2009-01-02 01:24 328885 ----a-w- c:\program files\setup.boot
2008-12-17 00:53 . 2009-01-02 01:24 448 ----a-w- c:\program files\setup.ini
2008-12-05 23:51 . 2009-01-02 01:24 173571 ----a-w- c:\program files\setup.inx
2008-07-09 17:41 . 2009-01-02 01:24 1287356 ----a-w- c:\program files\Setup.bmp
2007-09-20 16:58 . 2008-06-09 04:49 52156 ----a-w- c:\program files\Copyright.txt
2007-09-19 04:41 . 2008-06-09 04:49 258352 ----a-w- c:\program files\unicows.dll
2007-09-19 04:41 . 2008-06-09 04:49 4968 ----a-w- c:\program files\install.ini
2007-09-19 04:41 . 2008-06-09 04:49 1196032 ----a-w- c:\program files\install.exe
2007-09-19 04:41 . 2008-06-09 04:49 372736 ----a-w- c:\program files\ijl15.dll
2007-09-19 04:41 . 2008-06-09 04:49 4150 ----a-w- c:\program files\icon.ico
2007-09-19 04:41 . 2008-06-09 04:51 514337164 ----a-w- c:\program files\data4.pck
2007-09-19 03:55 . 2008-06-09 04:50 629164503 ----a-w- c:\program files\data3.pck
2007-09-18 22:10 . 2008-06-09 04:49 629175968 ----a-w- c:\program files\data2.pck
2007-09-18 17:03 . 2008-06-09 04:49 629147117 ----a-w- c:\program files\data1.pck
2007-09-18 14:58 . 2008-06-09 04:49 1080216 ----a-w- c:\program files\check.md
2002-12-05 20:16 . 2009-01-02 01:24 418296 ----a-w- c:\program files\engine32.cab
2002-10-17 23:05 . 2009-01-02 01:24 28131 ----a-w- c:\program files\setup.skin
2009-09-23 10:48 . 2009-10-05 18:05 1934848 ----a-w- c:\program files\mozilla firefox\components\3e6b23d6.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-03-20 00:54 . 2008-03-20 00:45 24 --sh--w- c:\windows\SF2868A9E.tmp
2009-03-27 03:16 . 1601-01-01 00:12 61440 --sha-w- c:\windows\system32\finozute.exe
2009-04-25 01:45 . 2009-01-25 01:45 47616 --sha-w- c:\windows\system32\hesanebo.exe
2009-07-06 06:05 . 2009-07-06 06:05 194134 --sha-w- c:\windows\system32\loyuwisa.exe
2009-05-01 01:29 . 2009-02-01 01:29 47104 --sha-w- c:\windows\system32\mazimiru.exe
2009-05-02 04:42 . 2009-02-02 04:42 47104 --sha-w- c:\windows\system32\monajole.exe
2009-04-27 07:32 . 2009-01-27 07:32 46592 --sha-w- c:\windows\system32\rakoyopo.exe
2009-04-26 19:32 . 2009-01-26 19:32 47104 --sha-w- c:\windows\system32\yimazitu.exe
2009-04-26 01:45 . 2009-01-26 01:45 46592 --sha-w- c:\windows\system32\yobaruzi.exe
2009-04-27 19:32 . 2009-01-27 19:32 47616 --sha-w- c:\windows\system32\zepulabe.exe
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-10 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]
"scheduler_monitor"="c:\program files\ReaConverter 5.5 Pro\init_scheduler.exe" [2007-06-15 27136]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]
"SUPERAntiSpyware"="N:\SUPERAntiSpyware.exe" [2009-09-15 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-11-15 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-19 148888]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-09 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-12-01 126976]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-03-26 177472]
"PSPVideoConverter_upgrade"="c:\program files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe" [2009-01-05 495616]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-04-11 68592]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"QuickTime Task"="c:\program files\QuickTime Alternative\qttask.exe" [2009-01-05 413696]
"IObit Security 360"="c:\program files\IObit\IObit Security 360\IS360tray.exe" [2009-09-29 1241872]
"Malwarebytes Anti-Malware (reboot)"="n:\malwarebytes' anti-malware\zzasa.exe" [2009-09-10 1312080]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-03-15 180224]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-10-21 77824]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" - c:\windows\system32\Hdaudpropshortcut.exe [2004-08-13 61952]
"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2005-05-03 543232]
"AlcWzrd"="ALCWZRD.EXE" - c:\windows\ALCWZRD.EXE [2004-10-22 2744832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "N:\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 20:21 548352 ----a-w- N:\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-07-06 15:16 176128 ----a-w- c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\wbsys.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Emy33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Gnq56.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Uxi00.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Electronic Arts\\Battlefield 2142\\BF2142.exe"=
"c:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\Xfire\\Xfire.exe"=
"c:\\Program Files\\Sierra\\FEAR\\fpupdate.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.4.6314-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.3.6299-to-2.0.5.6320-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.0.5.6320-to-2.0.6.6337-enUS-downloader.exe"=
"c:\\Program Files\\Doom 3\\Doom3.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\SypherX\\Movie Pirate Stff\\utorrent.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\SypherX\\psp controller\\wificon\\WiFiController-0.4.4\\PC\\WiFiServer.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.3.9947-to-3.2.0.10192-enUS-downloader.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\PSPdisp\\bin\\app\\PSPdisp.exe"=
"c:\\Program Files\\Microsoft Games\\Dungeon Siege 2\\DungeonSiege2.exe"=
"c:\\WINDOWS\\system32\\taskmgr.exe"=
"c:\\Documents and Settings\\Owner\\Desktop\\SypherX\\Computer Info Software\\procexp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"49190:TCP"= 49190:TCP:*:Disabled:SolidNetworkManager
"49190:UDP"= 49190:UDP:*:Disabled:SolidNetworkManager
"20702:TCP"= 20702:TCP:*:Disabled:SolidNetworkManager
"20702:UDP"= 20702:UDP:*:Disabled:SolidNetworkManager
"62140:TCP"= 62140:TCP:*:Disabled:SolidNetworkManager
"62140:UDP"= 62140:UDP:*:Disabled:SolidNetworkManager
"32735:TCP"= 32735:TCP:*:Disabled:SolidNetworkManager
"32735:UDP"= 32735:UDP:*:Disabled:SolidNetworkManager
"64198:TCP"= 64198:TCP:*:Disabled:SolidNetworkManager
"64198:UDP"= 64198:UDP:*:Disabled:SolidNetworkManager
"36645:TCP"= 36645:TCP:*:Disabled:SolidNetworkManager
"36645:UDP"= 36645:UDP:*:Disabled:SolidNetworkManager
"23452:TCP"= 23452:TCP:*:Disabled:SolidNetworkManager
"23452:UDP"= 23452:UDP:*:Disabled:SolidNetworkManager
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57035:TCP"= 57035:TCP:Pando Media Booster
"57035:UDP"= 57035:UDP:Pando Media Booster

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [10/6/2009 1:24 AM 28544]
R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [9/27/2006 4:47 AM 13952]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [8/8/2002 6:27 PM 13952]
R3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [6/8/2003 2:00 PM 28800]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [7/8/2009 10:04 PM 3072]
S0 Emy33;Emy33;c:\windows\system32\Drivers\Emy33.sys --> c:\windows\system32\Drivers\Emy33.sys [?]
S0 Gnq56;Gnq56;c:\windows\system32\Drivers\Gnq56.sys --> c:\windows\system32\Drivers\Gnq56.sys [?]
S0 Uxi00;Uxi00;c:\windows\system32\Drivers\Uxi00.sys --> c:\windows\system32\Drivers\Uxi00.sys [?]
S1 SASDIFSV;SASDIFSV;N:\sasdifsv.sys [9/15/2009 11:42 AM 9968]
S1 SASKUTIL;SASKUTIL;N:\SASKUTIL.SYS [9/15/2009 11:42 AM 74480]
S2 HDDTempNetServer;HDD Temperature Enterprise Server;c:\program files\PalickSoft\HDD Temperature Enterprise\HDDNetTempServer.exe /startedbyscm:B15A26C5-40E2B66C-HDDNetTemp --> c:\program files\PalickSoft\HDD Temperature Enterprise\HDDNetTempServer.exe [?]
S2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [8/3/2009 12:09 AM 309008]
S3 cpuz130;cpuz130;\??\c:\docume~1\Owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\Owner\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\documents and settings\Owner\Desktop\SypherX\Computer Info Software\Everest.Ultimate.Edition.2006.2.80.534\kerneld.wnt [4/9/2006 11:09 AM 11776]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [3/16/2009 1:14 AM 28672]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6.tmp --> c:\windows\system32\6.tmp [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [11/30/2007 12:27 PM 558592]
S3 SASENUM;SASENUM;N:\SASENUM.SYS [9/15/2009 11:42 AM 7408]
S3 Service_Desktop;Desktop;c:\program files\Free-Soft\Virtual Desktop\Desktop.exe --> c:\program files\Free-Soft\Virtual Desktop\Desktop.exe [?]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [10/1/2006 7:37 AM 26624]
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys --> c:\windows\system32\XDva164.sys [?]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
S3 XDva220;XDva220;\??\c:\windows\system32\XDva220.sys --> c:\windows\system32\XDva220.sys [?]
S3 XDva224;XDva224;\??\c:\windows\system32\XDva224.sys --> c:\windows\system32\XDva224.sys [?]
S3 XDva225;XDva225;\??\c:\windows\system32\XDva225.sys --> c:\windows\system32\XDva225.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - PROCEXP100

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
BtwSrv
.
Contents of the 'Scheduled Tasks' folder

2009-04-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.gatewaybiz.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {4E709758-3F9A-409C-9E32-8912A721E9D2} = 208.67.220.220,208.67.222.222
DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} - hxxp://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6fqbcm7.default\
FF - prefs.js: browser.search.selectedEngine - GoogleCOM
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.google-searchbar.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\program files\Mozilla Firefox\components\3e6b23d6.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\n6fqbcm7.default\extensions\{5601B994-0E9B-4ce2-8AB9-AD1155F2ABBD}\plugins\NPNeffyPlugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiautoinstallpluginff.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

FF - user.js: browser.search.selectedEngine - GoogleCOM
FF - user.js: keyword.URL - hxxp://www.google-searchbar.com/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
.
- - - - ORPHANS REMOVED - - - -

BHO-{ad2c2290-be52-4728-a5c3-d8b4d0851675} - wujuleza.dll
HKCU-Run-VD - (no file)
HKCU-Run-PlayNC Launcher - (no file)
SharedTaskScheduler-{7d5ee03f-06e8-4879-951c-326f42595c9a} - c:\windows\system32\refobaju.dll
SharedTaskScheduler-{a0dadd45-a590-404d-b9e6-c56fc3e09245} - c:\windows\system32\giwawawo.dll
SSODL-puferadod-{d3db0d13-be4e-428a-a5cb-12d8b00cb9a5} - (no file)
SSODL-vofaribay-{25e3e1e3-daaf-420b-8d6f-02f57ec7d0b8} - (no file)
SSODL-yuwimivuv-{48ba8d8c-2237-4324-b50e-e3ce7093a182} - (no file)
SSODL-pazesawof-{ce7e8964-ebb1-4cdc-ad03-d8392fbfbe44} - (no file)
SSODL-kutubaduv-{36f1a11d-5ade-40c4-9ae4-33143a10d182} - (no file)
SSODL-yimobunej-{10dc079c-9224-4ba1-99b8-23b2ad3a691e} - (no file)
SSODL-fimakodur-{a95a2358-feb9-4df7-9cee-6a17f3c5dc8a} - (no file)
SSODL-yuwudagat-{7ef22fb4-d8ce-4775-88cd-56b05fad62e5} - (no file)
SSODL-dokihehih-{86bcaf1f-ba04-4679-99e9-13ea47ce8d1e} - (no file)
SSODL-nuravujas-{358dfbf5-88e9-4bf6-93fb-8eddd06dc280} - (no file)
SSODL-medisobew-{bd380dff-30a7-4d0b-ada3-d31a2267928c} - (no file)
SSODL-resusijom-{7d5ee03f-06e8-4879-951c-326f42595c9a} - c:\windows\system32\refobaju.dll
SSODL-peyujosef-{a0dadd45-a590-404d-b9e6-c56fc3e09245} - c:\windows\system32\giwawawo.dll
Notify-pmnmmNhF - pmnmmNhF.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-18 00:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\HDDTempNetServer]
"ImagePath"="c:\program files\PalickSoft\HDD Temperature Enterprise\HDDNetTempServer.exe /startedbyscm:B15A26C5-40E2B66C-HDDNetTemp"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\EverestDriver]
"ImagePath"="\??\c:\documents and settings\Owner\Desktop\SypherX\Computer Info Software\Everest.Ultimate.Edition.2006.2.80.534\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6.tmp"

[HKEY_LOCAL_MACHINE\System\ControlSet005\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2627011371-2010092445-3762394428-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-2627011371-2010092445-3762394428-1006\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=

[HKEY_LOCAL_MACHINE\software\swearware\backup\winsock2]
@DACL=(02 0000)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
N:\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2009-10-18 0:39
ComboFix-quarantined-files.txt 2009-10-18 05:39
ComboFix2.txt 2008-06-02 07:31
ComboFix3.txt 2008-05-26 00:57

Pre-Run: 40,435,281,920 bytes free
Post-Run: 41,228,713,984 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
496 --- E O F --- 2009-10-15 01:38

In the Task Manager, click on the Applications tab and then New Task.

In the 'Open' box type cmd and click OK.

In the command window, type the following, pressing Enter after each line:

cd c:\

dir /s explorer.exe

Make a note of the locations of the files and post them in your reply.

Ok, I got this from the command prompt.

C:\>dir /s explorer.exe
Volume in drive C has no label.
Volume Serial Number is 7877-D158

There should be a 'File Not Found' message if the file doesn't exist. It may take a few seconds for any file locations to be listed. Please try again. I can't believe there are no copies of Explorer.exe on the drive.

I see, I let it run longer and it said "File not found".

What should I do next?

I've never seen all copies of Explorer.exe deleted before.

You need to get a copy of Explorer.exe and transfer it to C:\Windows. You could do this using a USB drive and the task manager. Click New Task, type the letter of the USB drive (e.g. F:) and OK it. Right-click on Explorer.exe and click Copy. New Task again and type C:\Windows, then right-click Paste,

Where might i find a safe version of an Explorer.exe at? I Don't have another computer it off of.

This is really confusing me lol, hopefully we can figure this out.

Thank you again.

Well I did some searching around , manually located the explorer.exe in C/windows. The icon is greyed out kind of like when my anti-virus programs would not run. I tried to run it and it says,

"windows cannot access the specified device,path, or file."

Just though i would post something that might help.

Can you use email? If so, click on my user name for my email address. I can send you Home Edition SP2 Explorer.exe.

I don't think the version of Explorer matters too much (you appear to have XP Professional). If we can get the computer back to normal, you can replace it with the correct version.

Alright, you should have an email with mine in it.

Thank you

A. Grant

Mail sent.

Locate C:\Windows\Explorer.exe and rename it Explorer.old, then copy the new file there.

Actully theres 2 explorer.exe's there. Under properties they say explorer.exe0 and explorer.exe1.
I was able to rename one of them, but the other one says "access is denied". I tried copying it to
a folder named backup but it still says "access is denied".

Should I copy over the new file?

A. Grant

Hmmm...

What explorer is showing as running in the task manager?

That's the weird thing, there's no explorer.exe running at all, I open my firefox with task manager and navigate around with the task manager lol. I mean i have no desktop icons or anything, no access to the start menu.
Hmm, I'll be here

A. Grant

Can you check the Properties of Explorer.exe1 (whichever explorer would not rename) and let me know the file size.

Also, do you have an XP CD? Is it a Recovery CD? If so, from what manufacturer?

The problem here is that the Windows interface is being routed through the bogus explorer. That means that each time you open a folder, the open command is routed through the bogus explorer, thereby activating it.

Will the computer start in Safe Mode with Command Prompt? Tap F8 repeatedly as the computer restarts until you get a menu, then use the arrow keys to highlight the above and press Enter.

I can run from safe mode with cmd prompt, thats how I was able to run some of the anti-spyware programs.

The explorer.exe that i could rename is-----80 bytes (80 bytes)

The explorer.exe that i could not rename is-----0.98 MB (1,033,216 bytes)

My computer was not boxed with a cd.


A. Grant

The file size is correct. This is very perplexing.

Put the copy of Explorer.exe I sent you on the USB drive and note the drive letter.

Boot to safe mode with command prompt.

At the C: prompt, type this (pressing Enter after each line):

cd windows
ren explorer.exe1 explorer.old

Next, type the letter of the USB drive - e.g. F:. Press Enter. Type this:

copy explorer.exe c:\windows

You should get a message that one file was copied successfully.

Reboot and let me know what the situation is.

BTW, I'm assuming that the file name is Explorer.exe1. If it's the other file, substitute the 0 for 1.

Well i have good news and bad news.

Bad news i tried what you told me to do and I got this-----


The system cannot find the file specified.

and

Access is denied.
0 files copied.


The "good" news I tried to launch the explorer.exe you sent me and all of my desktop icons and
start menu came back up. I restarted and theres nothing here.

I need to know when you got the 'system cannot find the file specified' message. I have no idea which file it relates to.

The first script you told me to run, ren explorer.exe

Then I ran the other script, the copy to C/windows one and got the 0 files
copied message.

After cd windows, you should be here:

C:\Windows>

Then you type:

ren explorer.exe1 explorer.old

Ren is short for rename. If you get a file not found message, try the other file:

ren explorer.exe0 explorer.old

If that doesn't work, try:

ren explorer.ex* explorer.old

Next, type the drive letter of the USB and type dir. This will show all files on the USB drive. Check that explorer.exe is listed, then use the copy command, as before.

Ok, after I did C:\Windows>, i was there. then i tried ren explorer.exe0 explorer.old and
ren explorer.ex* explorer.old and this is what I got---


The syntax of the command is incorrect.

I also did the Dir for for flash drive and got this----

autorun.inf
Launchhu3.exe
LaunchPad.zip

3 files

Can I copy and paste through task manager? or something else?

You could try the copy/paste using the task manager, but I don't think it will work. The bogus explorer will still be in use.

You didn't copy explorer.exe to the USB drive. If you did, it would be listed. Can't copy what's not there.

Forget about the command prompt for the moment. Try clicking on the copy of explorer I sent you and see if that bogus explorer will rename or delete. You might be able to see it on the Processes tab of the task manager. If you do, end process on it.

I need a break from this (lunch time here). Back in an hour or so.

Your right i was trying to copy from F and the explorer.exe is in N. It wont let me rename it or delete, but if i run the explorer you sent me my desktop and everything comes back. I went to search for it and explorer.exe and explorer.old aren't there anymore.

Should I go in safe mode again and try copying again?

Where is the explorer.exe I sent you located?

Also, make sure all files are visible: Explorer > Tools menu > Folder Options > View tab > Show Hidden Files and Folders > Apply > OK. See if you can locate the other files.

Found a couple of other ideas on this one.....





There's a file called 'exefix_xp' that will enable the .exe files to run, if needed.

There's a detailed removal procedure available HERE.

The exe you sent me is located on my flash drive along with my desktop. When I load up the exe you sent me my computer runs perfectly fine(the desktop and windows explorer comes back). I tried looking for the other explorer files with hidden shown and can not find them in C/windows, yet the working exe is there instead. If i restart my computer in the state it is in, the computer goes back to not loading the desktop and the "bad" not working icons are in place again.

---As far as I know my computer does not show any signs of spyware or virus. (jimhollys post)

Thank you

A. Grant

You say "I tried looking for the other explorer files with hidden shown and can not find them in C/windows". Yet previously you stated that "theres 2 explorer.exe's there. Under properties they say explorer.exe0 and explorer.exe1". What happened to them?

Copy the explorer.exe I sent you from the USB drive to C:\Windows and let me know if there are any problems doing that.

Also, can you let me know which copy of explorer you renamed to explorer.old?

I just checked, they are labled under the icon setting, they are explorer,0 and explorer,1 and they
seemed to be named the same. I was able to rename the smaller filesized one and unable to name the 0.98 sized one. When i boot up my computer both explorer.exe(s) are there, the explorer.exe and explorer.old. I can double click the one you sent me and everything loads up, and when i go and try to find them they are not there anymore even with the hidden files shown. Im gonna restart and try to just copy over the one you sent me again.

ok I restared and try to move it over, i told me "Access is denied" Also after i loaded your exe back, i tried to navigate to the 2 exes though the task manager even though i could go C--windows--- I went task manager----c-----windows and only the explorer.exe was there. When I went thtough my computer----c----windows, the exe you gave me was there and the explorer.old is now a folder with a magnifying glass that links me to C:

The Explorer folder with the looking glass is normal, although it shouldn't be called explorer.old.

Reboot to safe mode with command prompt. Type the following:

copy c:\windows\system32\dllcache\explorer.exe c:\windows

Press Enter.

What message do you get?

The message that i get is---

Access is denied.
0 files copied.

Did you install the Recovery Console when you ran ComboFix?

Do you have access to another computer - maybe a friend's one you could use?

I cant remeber if i installed the recovery console or not , and Im pretty sure I could use a friends computer.

A. Grant

If the Recovery Console is installed, you would see it as an option on the boot menu each time the computer starts.

You need to make a Linux CD. To do so, you have to install ImgBurn.

Next, you have to burn a Linux/Knoppix CD. Go here and click on the Download button. On the next page, scroll down and click on either the Purdue University link - ecn.purdue.edu. Click on the Akzeptieren button, then click on KNOPPIX_V5.1.0CD-2006-12-30-EN.iso, 7th on the list from the top. Save it to the desktop.

Put a CD in the drive and click on KNOPPIX_V5.1.0CD-2006-12-30-EN.iso. ImgBurn will do the rest. Post back when the CD is made.

Ok, I see the recovery console when I start my computer up, do I still need to make a cd?

You should be able to use the recovery console (RC).

Highlight the RC on the boot menu and press Enter, then press 1 at the next screen if it corresponds to the Windows installation.

At the C:\> prompt, type the letter of the USB drive and press Enter. Type dir and Enter and verify that the explorer.exe I sent you is on the drive.

Type c: and Enter.

Type cd windows and Enter.

Type ren explorer.ex* explorer.old and Enter.

Type the USB drive letter again and Enter.

Type copy explorer.exe c:\windows and Enter.

Restart the computer and let me know what the situation is.