Recovery Console not responding

Hi. I am new to the forum and NEED help. I'm usually pretty good at figuring stuff out usually by checking out forums like this one, but so far no dice. Every time I start my computer, it loads, goes to the desktop and then I get the BSOD. I installed the Recovery Console. I restarted the computer, and I got a prompt Windows XP or Recovery Console. I clicked Recovery and the screen went black with a blinking curser at the top left hand corner. I'm at a complete loss.

I believe I have a Backdoor.Rustock.B virus.

Can someone please help me out? I'm at my wits end, and I can't bring myself to pay 100's of dollars for the Geek Squad to fix it....at least not yet.
53 answers Last reply
More about recovery console responding
  1. Are you able to boot into Safe Mode?, Safe Mode with Networking?

    Restart your PC. After the pc powers down and immediately after you hear it powering up again start tapping the F8 key in about 1 second intervals. A screen should appear with "Safe Mode with networking" as one of the options. Select "Safe Mode with networking", as the operating system is loading you should see white text against a black background rolling up the screen. This is normal. Once loaded the screen will look cartoonish with "safe mode" appearing in the 4 corners"

    Note: Never use msconfig to boot into "Safe Mode" when dealing with malware as this can cause boot loop.

    Once you are in "Safe Mode" download Malwarebytes' Anti-Malware (MBAM). When the download dialog box comes up, before you download the program rename "mbam-setup.exe" to nike.exe, let it update and scan your system. Reboot when prompted and let your pc boot up normally.

    Please post the log MBAM produces. If the report doesn't open you can obtain it by running nike.exe (MBAM) and clicking on the logs tab. Copy and paste the entire contents back here.

    http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html
  2. I am able to go into Safe Mode. I've just done plain ol' Safe Mode, but I def try what you suggested and get back to you. Thank you so much :)
  3. So I ran the scanner and this is what I got:

    Malwarebytes' Anti-Malware 1.31
    Database version: 1456
    Windows 5.1.2600 Service Pack 3

    1/4/2009 12:07:50 AM
    mbam-log-2009-01-04 (00-07-44).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 195317
    Time elapsed: 38 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 12
    Registry Values Infected: 5
    Registry Data Items Infected: 2
    Folders Infected: 4
    Files Infected: 36

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\ukptetyv.dll (Trojan.Vundo.H) -> No action taken.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d53cdd35-adda-44fa-9167-8739d72605ce} (Trojan.Vundo.H) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{d53cdd35-adda-44fa-9167-8739d72605ce} (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\889d08bb (Trojan.Vundo.H) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjakefubeqi (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> No action taken.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> No action taken.

    Folders Infected:
    C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.

    Files Infected:
    C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\lRAJmnpo.ini (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\lRAJmnpo.ini2 (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\eyrdlope.dll (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\epoldrye.ini (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\ukptetyv.dll (Trojan.Vundo.H) -> No action taken.
    C:\WINDOWS\system32\vytetpku.ini (Trojan.Vundo.H) -> No action taken.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\upd105320[1] (Trojan.Vundo.H) -> No action taken.
    C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\MH1YFM9C\upd105320[1] (Trojan.Vundo.H) -> No action taken.
    C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> No action taken.
    C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> No action taken.
    C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
    C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
    C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
    C:\WINDOWS\Ewumanar.dll (Trojan.Agent) -> No action taken.
    C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSd838.tmp (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSda0d.tmp (Trojan.FakeAlert) -> No action taken.
    C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> No action taken.
    C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> No action taken.
    C:\Documents and Settings\Me\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> No action taken.
    C:\Documents and Settings\Me\Favorites\Error Cleaner.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\Me\Favorites\Privacy Protector.url (Rogue.Link) -> No action taken.
    C:\Documents and Settings\Me\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> No action taken.
  4. It appears from the log that you haven't selected any detections for removal.

    If this is the case again boot your pc into "Safe Mode" and run the full scan. Once the scan is complete ensure you put a check mark against everything then click on "Remove Selected".

    Reboot your pc and post the fresh log back here. We will move on to the next step.
  5. Malwarebytes' Anti-Malware 1.31
    Database version: 1456
    Windows 5.1.2600 Service Pack 3

    1/4/2009 2:12:45 PM
    mbam-log-2009-01-04 (14-12-45).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 196202
    Time elapsed: 35 minute(s), 34 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 13
    Registry Values Infected: 5
    Registry Data Items Infected: 2
    Folders Infected: 4
    Files Infected: 35

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{832626fa-c460-4a29-adba-d938601cd02b} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{832626fa-c460-4a29-adba-d938601cd02b} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\889d08bb (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjakefubeqi (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> Delete on reboot.

    Folders Infected:
    C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINDOWS\system32\lRAJmnpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lRAJmnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\eyrdlope.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\epoldrye.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ukptetyv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vytetpku.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\MH1YFM9C\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
    C:\WINDOWS\Ewumanar.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSd838.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Me\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Me\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Me\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Me\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
  6. This next tool, SDFix, is designed to detect and remove any difficult trojans that have locked themselves to your system. It will also reset your hosts file.

    You may want to print these instructions or copy them to a notepad document on your desktop so they can be accessed in safe mode.

    IMPORTANT: Temporarily disable any Realtime protection given by Antivirus, Antispyware and script blocking etc

    Refer to the link below to assess how to do this with your current security tools. If you have any questions please ask them before running the tool.

    http://www.bleepingcomputer.com/forums/topic114351.html

    If you have a custom hosts file you will need to re-apply your settings after you run SDFix.

    Download SDFix to your desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    Double click SDFix.exe on your desktop and it will extract the files to the root directory where your operating system resides.

    Next boot your pc into "Safe mode" using the f8 key during start-up.

    Please do not use msconfig method whenever booting into "Safe Mode" for malware removal as this can cause boot loop

    1) Open the extracted SDFix folder and double click RunThis to start the script. This can be found in the root directory usually C:\SDFix.

    2) Type Y to begin the cleanup process.

    3) It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

    4) Press any Key and it will restart the PC.

    5) When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

    6) Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

    7) Finally paste the contents of the Report.txt back on the forum with a new HijackThis log. It can be found inside the SDFix folder on the desktop.
  7. 1. Save " HJTInstall.exe" to your desktop.
    2. Double click on HJTInstall.exe to run the program. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Once the scan is complete a notepad document will appear on the desktop.
    6. Copy and paste the contents of the entire Hijackthis Log log back here in your next reply.
    7. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

    http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
  8. Can I download and unpack SDFix in Safe Mode? Or do I have to do it in the normal start-up?
  9. Restoring Default Security Values
    Restoring Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\Documents and Settings\Me\Application Data\Adobe\crc.dat - Deleted


    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-05 18:35:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    disk error: C:\WINDOWS\system32\config\system, 0
    scanning hidden registry entries ...

    disk error: C:\WINDOWS\system32\config\software, 0
    disk error: C:\Documents and Settings\Me\ntuser.dat, 0
    scanning hidden files ...

    disk error: C:\WINDOWS\

    please note that you need administrator rights to perform deep scan

    Remaining Services :


    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
    "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
    "C:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe"="C:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe:*:Enabled:Deubox Xtreamer"
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
    "C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
    "C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
    "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
    "C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
    "C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
    "C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Tue 26 Aug 2008 211 A.SHR --- "C:\BOOT.BAK"
    Sat 6 Jan 2007 88 A.SHR --- "C:\i386\76DA9D86CF.sys"
    Sat 6 Jan 2007 3,766 A.SH. --- "C:\i386\KGyGaAvL.sys"
    Wed 5 Sep 2007 0 ..SH. --- "C:\WINDOWS\S026C53D2.tmp"
    Thu 1 Jan 2009 248 ..SHR --- "C:\WINDOWS\system32\76DA9D86CF.sys"
    Thu 1 Jan 2009 7,518 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
    Thu 25 Dec 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\8C99B041E3.sys"
    Thu 25 Dec 2008 2,828 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
    Sat 27 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Wed 27 Aug 2008 45,568 ...H. --- "C:\Documents and Settings\Me\My Documents\~WRL0003.tmp"
    Fri 20 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
    Mon 5 Feb 2007 1 ..SHR --- "C:\Documents and Settings\Me\Local Settings\Temp\browshui64.dll"
    Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
    Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
    Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
    Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
    Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
    Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"
    Fri 16 Nov 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"

    Finished!
  10. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:44:50 PM, on 1/5/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - {832626FA-C460-4A29-ADBA-D938601CD02B} - C:\WINDOWS\system32\opnmJARl.dll (file missing)
    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O2 - BHO: {7e0bff41-2939-646a-92d4-e23d350ad95f} - {f59da053-d32e-4d29-a646-939214ffb0e7} - C:\WINDOWS\system32\ekhyvw.dll
    O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
    O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204575382125
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll ekhyvw.dll
    O20 - Winlogon Notify: rqRIbYQI - rqRIbYQI.dll (file missing)
    O21 - SSODL: ieModule - {CC1320C2-4A2C-420B-BCE6-3E6750BFED66} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
    O21 - SSODL: InternetConnection - {14E9AF0E-1D88-41D3-96F6-8018C74E92E8} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\srptitxdtx.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10111 bytes
  11. Are you able to use your pc in normal mode now, or are you still getting BSOD?
  12. On a good note, the desktop completely loads but then goes right to the BSOD.
  13. I get the following Technical Info:
    STOP: 0X0000008E (0XC0000005, 0XAA51D21D, OXA47747E8, 0X00000000)
  14. I ran the SDFix and Hijack scans again, and I'm running that Malwarebytes program you had me download again. Hopefully that will do something. If not, do you have any other ideas?
  15. We can continue on working in safe mode.

    I needed to know because one of the final clean-up tools needs to be run in normal mode.

    Open HiJackThis (HJT) and click on "Do a system scan only", navigate and put a check mark next to the entries shown in bold below.

    Be sure to mark the correct entries as HJT does repairs at the registry level and an incorrect selection can cause serious damage to the operating system.

    Close all open windows except for HJT and select "Fix Checked"

    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

    O2 - BHO: (no name) - {832626FA-C460-4A29-ADBA-D938601CD02B} - C:\WINDOWS\system32\opnmJARl.dll (file missing)

    O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

    O2 - BHO: {7e0bff41-2939-646a-92d4-e23d350ad95f} - {f59da053-d32e-4d29-a646-939214ffb0e7} - C:\WINDOWS\system32\ekhyvw.dll

    O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

    O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

    O20 - AppInit_DLLs: avgrsstx.dll ekhyvw.dll

    O20 - Winlogon Notify: rqRIbYQI - rqRIbYQI.dll (file missing)
  16. I am about to leave for work so I won't be back for a few hours.

    After you carefully do the fix with HJT see then if you can boot your pc up normally and let me know.

    Another very good scanner you can download and run (Normal / Safe modes) is SuperAntiSpyware (SAS)

    Feel free to run this in the meantime.

    Download SUPERAntispyware free edition to your desktop, install then update.

    Once the updates have finished click on the "Scan your computer button", ensure "perform complete scan" radio button is selected and click "next". Remove everything it finds.

    http://www.superantispyware.com
  17. My computer won't let me install it. It says, "The system administrator has set policies to prevent this installation." What do I need to do to allow it to install?
  18. Good news....I'm able to start my computer now w/out safe mode. I am running that scan now w/ superantispyware.
  19. Excellent.

    When the SAS scan has completed can you post the log back here please.

    To do this open SAS again and click on preferences. In the preferences screen click on the Statistics / Logs tab at the top. Highlight the most current log and click on the "View Log..." button.

    Copy / paste the contents back here with a fresh HJT log.
  20. I had to type this by hand on my laptop. It seems that my desktop won't connect to the internet. The wireless router is working, but the internet just won't work for the laptop. Could it have something w/ all the scans I ran? Should I re- setup my wireless router?

    SUPERAntispyware Scan Log
    http://www.superantispyware.com

    Generated 01/06/2009 at 10:49 PM

    Application version 4.24.1004

    Core Rules Database version: 3697
    Trace Rules Database Version: 1673

    Scan Type : Complete Scan
    Total Scan Time : 00:29:09

    Memory items scanned : 418
    Memory items detected : 0
    Registry items scanned : 6186
    Registry threats detected : 3
    Files items scanned : 25595
    File threats detected : 0

    Rogue.SpywareGuard2008
    HKLM\Software\Spyware Guard 2008
    HKLM\Software\Spyware Guard 2008\Info
    HKLM\Software\Spyware Guard 2008\Lic
  21. I'm confused.

    Can you reword your above post to clarify please.

    If the computer we are working on has lost internet connectivity we will work on fixing it, but I'm really not sure which is working and which isn't. Also are they both connected wirelessly to your router? or is the desktop connected physically.

    If only the pc we are working on has lost the internet, there may be one entry that was fixed with HJT that we can roll back and fix another way that might have caused it. But before we can move ahead I need you to clarify.
  22. My desktop is directly connected to my wireless router. My laptop is not directly connected. My desktop is the one w/ all the problems that you have so kindly been helping me with. My laptop is fine.

    The wireless router is working. My laptop, and my sister's computer are able to get internet. I hope this helps.
  23. Thankyou for clarifying.

    The problem is likely at the desktop. Leave the router as is, we'll work on the desktop to rectify the connectivity issue.

    Unfortunately when dealing with malware, when it is wounded it sometimes tries to take out legitimate processes with it.

    Open HJT. When the first screen appears click on "View the list of backups". In the new window highlight this line (the whole line may not be visible, but it will be discernable):

    O20 - AppInit_DLLs: avgrsstx.dll ekhyvw.dll

    and click on restore.

    Your AntiVirus program may alert you of this action. Ignore or allow it to continue on if it does.

    ==================================================

    If you have a USB flash drive you can copy the reg file we are about to create from the laptop to the desktop then run it, otherwise carefully follow the instructions below.

    Next minimize all windows so that you can see the desktop. Right click the desktop and select "New" then "Text Document"

    Double click to open.

    From the very top line copy / type the bold text below:

    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=-
    "AppInit_DLLs"="avgrsstx.dll"


    There are no spaces. But you need the blank line between REGEDIT4 and [HKEY_...... Note the little dash / minus sign after =

    Once you have ensured that every character and symbol are correct click on file at the top and select "Save as". Save it to your desktop. Name the file regfix.reg (regfix dot reg) and in the dropdown box next to "save as type" select "All files".

    On the desktop you should now have an icon that looks like a cube with bits coming off. Right click this and select merge, when prompted to merge with the registry click yes.

    Run a fresh HJT scan and post the results back here.

    Also let me know if internet connectivity has returned.
  24. ...\microsoft\windows nt\currentversio...

    Sorry, one space between windows nt
  25. These narrow Tom's columns don't make it easy.

    1st Line: REGED....
    2nd Line: <blank>
    3rd Line: [HKEY_LO...
    4th Line: "AppI...
    5th Line: "AppI...
  26. Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:39:31 PM, on 1/7/2009
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\2Wire\2PortalMon.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\PSIService.exe
    C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061227
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
    O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
    O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
    O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
    O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S16D.tmp" /EF "HKCU"
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Broken Internet access because of LSP provider 'c:\docume~1\admini~1\locals~1\temp\ntdll64.dll' missing
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204575382125
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: avgrsstx.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 11650 bytes
  27. Oh and still no connectivity.
  28. The rollback worked perfectly and you have correctly run the regfix.

    Are you able to transfer files between your pcs with a USB flash drive?
  29. If yoare click on the link below and save to the flash drive:

    http://www.cexx.org/LSPFix.exe

    Once downloaded take the file to the affected pc and copy / paste it to the desktop.

    Double click LSPFix.exe to run.

    Let me know if you are able to connect to the internet.
  30. OMG you are the best! My internet is working! Should I go now and allow my computer to set Restore Dates?
  31. Unfortunately I have run short of time.

    Leave the restore points for now.

    We still need to run a couple of scans to confirm the absence of malware, do a cleanup and run one update.

    Once these are done you restore points can be flushed and a new one created.
  32. Your Java is out of date. It needs to be updated to prevent any exploits.

    Click on the link below to download Java SE Runtime Environment (JRE) 6 Update 11, it should be the first option. Select windows as your platform then check to agree to terms and continue. In this next screen select "Windows Offline Installation" and save it to your desktop.

    http://java.sun.com/javase/downloads/index.jsp

    Close all open windows and programs then go into control panel > Add / Remove programs. Look for and uninstall all instances of java, JRE and J2SE.

    Reboot your PC and install the version of Java you downloaded to your desktop. jre-6u11-windows-i586-p.exe.
  33. Download ATF Cleaner to your desktop.

    http://www.majorgeeks.com/ATF_Cleaner_d4949.html

    Once downloaded double click to start the program. On the main screen put a check mark in "Select all" then click "Empty Selected".

    Exit the program when it prompts you that it has finished.
  34. Heya nikegurl24,

    In case you have gone right to the bottom of this thread can you begin with the Java update a couple of posts up please.

    ===========================================================================================

    Run combofix and post the log.

    Here are the instructions:

    Again temporarily disable any Realtime protection given by Antivirus, Antispyware and script blocking etc

    Download Combofix to your desktop.

    Note: It is important that it is saved directly to your desktop

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe

    Close any open browsers and windows except for Combofix

    Double click on combofix.exe and follow the prompts.

    When it's finished it will produce a log.

    Post the entire contents of C:\ComboFix.txt into your next reply.

    Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.

    In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.

    Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs removal technique.
  35. When I open ComboFix...it says there are instances of AVG and Norton running. I have AVG 8 and I don't have it running. I do not have Norton. What should I do? Should I just run ComboFix anyway?
  36. Oh and for some reason the clock has been switched to military time. Does that mean anything?
  37. Combofix changes the time format during the scan.

    There is an old entry for Norton / Symantec that showed up in your HJT log. You can run the uninstaller to remove it, but we will save it for the very end.

    Yes run Combofix, the log it produces is very comprehensive. Combofix should change the date format back when it has finished the run.
  38. Source: http://www.bleepingcomputer.com/forums/topic114351.html

    Disable AVG 8
    Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
    Click on Tools.
    Select Advanced.
    In the left hand pane, scroll down to "Resident Shield".
    In the main pane, deselect the option to "Enable Resident Shield."
    To re-enable AVG 8, please select "Enable Resident Shield" again.

    We will run the Norton removal tool now so it doesn't interfere with our progress.


    Download and run the correct version of the Norton product that was previously installed on your PC:

    http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039


    Try the ComboFix run again.
  39. If you are unsure which version of Norton you had download this one instead:

    http://majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html
  40. ComboFix 09-01-08.02 - Me 2009-01-08 22:40:15.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -5:00]
    Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Me\Application Data\inst.exe
    c:\program files\windows media player\mplayer2.exe
    c:\windows\IE4 Error Log.txt
    c:\windows\system32\drivers\senekaqpktkbgo.sys
    c:\windows\system32\uniq.tll
    c:\windows\system32\win32hlp.cnf

    Infected copy of c:\windows\system32\userinit.exe was found and disinfected
    Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


    .
    ((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
    .

    2009-01-08 22:36 . 2009-01-08 22:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
    2009-01-08 13:28 . 2009-01-08 13:28 410,984 --a------ c:\windows\system32\deploytk.dll
    2009-01-08 13:28 . 2009-01-08 13:28 73,728 --a------ c:\windows\system32\javacpl.cpl
    2009-01-06 18:50 . 2009-01-06 18:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
    2009-01-06 18:50 . 2009-01-06 18:50 <DIR> d-------- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com
    2009-01-06 18:50 . 2009-01-06 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-01-05 18:44 . 2009-01-05 18:44 <DIR> d-------- c:\program files\Trend Micro
    2009-01-05 18:23 . 2009-01-05 18:23 578,560 --a------ c:\windows\system32\dllcache\user32.dll
    2009-01-05 18:18 . 2009-01-05 18:18 <DIR> d-------- c:\windows\ERUNT
    2009-01-05 18:16 . 2009-01-06 19:48 <DIR> d-------- C:\SDFix
    2009-01-05 10:32 . 2009-01-05 10:32 <DIR> d-------- c:\documents and settings\Me\Application Data\Malwarebytes
    2009-01-04 14:58 . 2009-01-04 14:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
    2009-01-03 19:15 . 2009-01-03 19:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
    2009-01-03 19:15 . 2009-01-03 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
    2009-01-03 19:15 . 2009-01-03 19:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-01-03 19:15 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
    2009-01-03 19:15 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
    2009-01-02 22:59 . 2009-01-02 22:59 <DIR> d-------- C:\b2beff07c30af33b763750
    2009-01-02 22:57 . 2009-01-02 22:58 <DIR> d-------- C:\XPSP3
    2009-01-02 22:33 . 2009-01-02 22:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
    2009-01-02 11:49 . 2009-01-02 11:49 <DIR> d-------- c:\windows\system32\CatRoot_bak
    2009-01-02 11:25 . 2009-01-02 13:44 <DIR> d-------- C:\XPSP2
    2009-01-02 11:25 . 2009-01-02 11:35 <DIR> d-------- C:\XPCD
    2009-01-02 01:45 . 2006-12-27 10:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
    2009-01-02 01:45 . 2006-12-27 10:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
    2009-01-02 01:45 . 2006-12-27 10:24 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
    2009-01-02 01:45 . 2006-12-27 10:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
    2009-01-02 01:45 . 2009-01-03 14:44 <DIR> d-------- c:\documents and settings\Administrator
    2008-12-18 07:23 . 2008-12-18 07:23 103,360 --a------ c:\windows\system32\drivers\AnyDVD.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-09 03:46 --------- d-----w c:\program files\DNA
    2009-01-09 03:46 --------- d-----w c:\documents and settings\Me\Application Data\DNA
    2009-01-09 03:37 --------- d-----w c:\program files\Common Files\Symantec Shared
    2009-01-08 18:28 --------- d-----w c:\program files\Java
    2009-01-08 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
    2009-01-02 05:21 --------- d-----w c:\documents and settings\Me\Application Data\BitTorrent
    2009-01-02 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
    2009-01-01 17:05 --------- d-----w c:\documents and settings\Me\Application Data\Corel
    2008-12-31 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
    2008-12-25 19:27 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
    2008-12-25 19:24 88 --sh--r c:\documents and settings\All Users\Application Data\8C99B041E3.sys
    2008-12-19 16:04 --------- d-----w c:\documents and settings\Me\Application Data\Tunebite
    2008-12-10 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
    2008-12-07 05:49 --------- d-----w c:\program files\iTunes
    2008-12-07 05:49 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-12-07 05:48 --------- d-----w c:\program files\iPod
    2008-12-07 05:48 --------- d-----w c:\program files\Common Files\Apple
    2008-12-07 05:47 --------- d-----w c:\program files\QuickTime
    2008-11-22 01:41 --------- d-----w c:\documents and settings\Me\Application Data\Alien Skin
    2008-11-22 00:01 --------- d-----w c:\program files\Common Files\Corel
    2008-11-22 00:00 --------- d-----w c:\program files\Corel
    2008-11-22 00:00 --------- d-----w c:\program files\Common Files\Protexis
    2008-11-22 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
    2008-11-21 22:24 --------- d-----w c:\program files\Alien Skin
    2008-07-04 02:09 47,360 ----a-w c:\documents and settings\Me\Application Data\pcouffin.sys
    2007-05-13 17:04 87,608 ----a-w c:\documents and settings\Me\Application Data\ezpinst.exe
    2007-04-30 21:16 476,752 ----a-w c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
    2007-01-26 02:54 124 ----a-w c:\documents and settings\Me\Application Data\wklnhst.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
    "NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]
    "EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
    "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
    "Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
    "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
    "SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
    "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
    "RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-27 26112]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
    "LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
    "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
    "2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-05-25 393216]
    "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
    "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-08-24 2468200]
    "Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]
    "MBMon"="CTMBHA.DLL" [2006-06-29 c:\windows\system32\CTMBHA.DLL]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
    "c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\DNA\\btdna.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-23 97928]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
    R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\00.fcl [2008-04-16 17:47:39 13560]
    R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
    R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
    R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-23 76040]
    R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-18 24652]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
    c:\program files\PixiePack Codec Pack\InstallerHelper.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-01-09 c:\windows\Tasks\ptngofmu.job
    - c:\windows\system32\rundll32.exe [2008-04-13 19:12]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://yahoo.sbc.com/dsl
    mStart Page = hxxp://www.yahoo.com/?.home=ytie
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\umhsj9r3.default\
    FF - prefs.js: browser.startup.homepage - hxxp://yahoo.sbc.com/dsl
    FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
    FF - plugin: c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\umhsj9r3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", true);
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-08 22:46:51
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
    "ImagePath"="\??\c:\program files\CyberLink\PowerDVD\00.fcl"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CC1320C2-4A2C-420B-BCE6-3E6750BFED66}\InprocServer32]
    @DACL=(02 0000)
    @="c:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Internet Explorer\\DLLs\\ieModule.dll"
    "ThreadingModel"="Apartment"

    [HKEY_LOCAL_MACHINE\software\Spyware Guard 2008\Info]
    @DACL=(02 0000)

    [HKEY_LOCAL_MACHINE\software\Spyware Guard 2008\Lic]
    @DACL=(02 0000)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(844)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    c:\windows\system32\CTSVCCDA.EXE
    c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\PSIService.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\program files\CyberLink\Shared Files\RichVideo.exe
    c:\progra~1\AVG\AVG8\avgrsx.exe
    c:\docume~1\Me\LOCALS~1\Temp\clclean.0001
    c:\windows\system32\wscntfy.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    c:\program files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-08 22:52:24 - machine was rebooted [Me]
    ComboFix-quarantined-files.txt 2009-01-09 03:52:21

    Pre-Run: 74,065,006,592 bytes free
    Post-Run: 74,072,891,392 bytes free

    245 --- E O F --- 2008-12-18 08:02:03
  41. There are a couple of files that need to be looked at.

    The folder options can be reverted back to their original settings once the scan results are posted

    Go into Control Panel > Folder Options and click on the "View" tab at the top of the window. In here click on the "Shoe hidden files and folders" radio button and uncheck "Hide protected operating system files (recommended)". Allow the changes when prompted.

    Go to either of the 2 sites linked below:

    http://virusscan.jotti.org/

    or

    http://www.virustotal.com/

    Once there, next to the browse button on the webpage copy and paste the file path (bolded) into the white box and submit. Please submit only one at a time. Once the scan has completed copy / paste the results back here.

    c:\documents and settings\All Users\Application Data\8C99B041E3.sys

    C:\b2beff07c30af33b763750
  42. File: 8C99B041E3.sys
    Status: OK
    MD5: 25979e3bf09b1b2f1e0dc5616bfe60fa
    Packers detected:
    -

    Scan taken on 10 Jan 2009 15:15:14 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    G DATA Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing
  43. I am not able to upload that last file onto either of the sites. There are 2 files in that folder you had be browse...there is a i386 folder and $shtdwn$.req
    It says that I can't scan the i386 folder b/c it's empty and that when I click on the other it says "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
  44. OK that's fine. It appears to be a legitimate folder. If it's not an online scan will detect if it's not.

    You have done really well and we are now at the business end of the process. It's time to clean up some of the tools we used.
  45. Awesome. I really can't thank you enough for all the help you've given me. It is appreciated more than you know :-)
  46. Your logs are all clean except for one little issue I'm not too concerned about.

    SuperAntiSpyware(SAS) detected registry entries that were picked up by ComboFix. These aren't a concern as the body of the malware has been taken care of.

    Can you run SAS again and have it fix these registry entries, they belonged to Spyware Guard 2008. You can also run the scan in safe mode to increase the chance of removal.

    OK time for clean up.

    ==========

    Viewpoint has shown on your logs (this wasn't responsible for the PC instability). Viewpoint is not considered malware but rather foistware as it installs on your PC without your knowledge / consent and has running processes in the background. It is adviseable to remove.

    Go to Start > Settings > Control Panel > Add/Remove Programs and remove any of the following programs if present.

    Viewpoint
    Viewpoint Manager
    Viewpoint Media Player

    ==========

    SDFix: Delete anything downloaded to your desktop and delete the folder at the root of your operating system. C:\SDFix

    ==========

    HijackThis: Delete anything downloaded to your desktop and remove with control panel "Add / Remove Programs"

    ==========

    ComboFix: Copy the bolded text below:

    combofix /u

    Click on "Start" > "Run" and paste the text into the box and hit enter.

    ==========

    regfix.reg: Delete from the desktop.

    ==========

    LSPFix.exe: Delete from the desktop.

    ==========

    Java: If it is still there you can delete the Java setup file from the desktop, jre-6u11-windows-i586-p.exe

    ==========
    OPTIONAL
    ==========

    ATF Cleaner: Excellent for keeping temporary files to a minimum. Doesn't use system processes as it is an on call cleaner. Delete from the desktop if you don't need it.

    ==========

    Malwarebytes' Anti-Malware: On call Malware removal tool. Doesn't run on startup. Can be updated and run periodically. Delete anything downloaded to your desktop and remove via control panel "Add / remove programs" if unwanted.

    ==========

    SUPERAntiSpyware: On call Antispyware removal tool. Runs on startup to protect homepage (if selected) and add right click scan functionality. Can be removed from startup and used as an on call scanner. Delete anything downloaded to your desktop remove via control panel "Add / remove programs" if unwanted.

    ==========

    System Restore

    Flush your system restore and set a new restore point.

    Click on "Start" > "All Programs" > "Accessories" > "System Tools" > "System Restore".

    On the left side of the window click on "System Restore Settings" then put a check mark in "Turn off System Restore on all drives", allow it to continue when prompted.

    Reboot your PC then turn system restore back on.
  47. I should add, it important to follow the System Restore step. Malware can hide in system restore and reintroduce itself. Shouldn't have posted it under "Optional".

    Last but not least. The online scan.

    Eset will detect for anymore infections and perform a cleanup process. Don't be concerned if it finds infected files, some of the tools we used detect active files and don't perform complete checks for dormant files. This scan is very indepth and has the most up-to-date virus defintion signature database.

    Please click on the link and follow the steps below:

    1. Go here http://www.eset.com/onlinescan/
    2. Agree to the terms and conditions
    3. Click "Start"
    4. When you see the security warning install and run "OnlineScanner.cab" click yes.
    5. Click "Start"
    6. To do a full-scan tick: "Remove found threats" and "Scan potentially unwanted applications"
    7. Click "Scan". This process will likely take a while
    8. Once the scan has finished close the window
    9. Next click "Start" > "Run" and copy the bolded text below into the run box and hit enter.

    C:\Program Files\EsetOnlineScanner\log.txt

    10. A notepad document will open, copy / paste its entire contents back here.

    IMPORTANT: Ensure you have reinitiated AVG8 and it is no longer disabled
  48. I'm running the scan now. When I went I restarted my computer after I turned off system restore, I got the BSOD again. I got those "your computer just had a severe error click to send the error logs" I sent them and got this message:

    "Corrupted error report"
    Unfortunately, the error report you submitted is corrupted and cannot be analyzed. Corrupted error reports are rare. They can be caused by hardware or software problems, and they usually indicate a serious problem with your computer.

    The scanner is almost done running now, so I'll be posting that info shortly.
  49. I need to see what the scan produces. We may need to run a system file checker.
Ask a new question

Read More

Configuration Computers Recovery Console Windows XP