Sign in with
Sign up | Sign in
Your question

Recovery Console not responding

Last response: in Windows XP
Share
January 3, 2009 6:45:19 PM

Hi. I am new to the forum and NEED help. I'm usually pretty good at figuring stuff out usually by checking out forums like this one, but so far no dice. Every time I start my computer, it loads, goes to the desktop and then I get the BSOD. I installed the Recovery Console. I restarted the computer, and I got a prompt Windows XP or Recovery Console. I clicked Recovery and the screen went black with a blinking curser at the top left hand corner. I'm at a complete loss.

I believe I have a Backdoor.Rustock.B virus.

Can someone please help me out? I'm at my wits end, and I can't bring myself to pay 100's of dollars for the Geek Squad to fix it....at least not yet.
January 3, 2009 9:57:16 PM

Are you able to boot into Safe Mode?, Safe Mode with Networking?

Restart your PC. After the pc powers down and immediately after you hear it powering up again start tapping the F8 key in about 1 second intervals. A screen should appear with "Safe Mode with networking" as one of the options. Select "Safe Mode with networking", as the operating system is loading you should see white text against a black background rolling up the screen. This is normal. Once loaded the screen will look cartoonish with "safe mode" appearing in the 4 corners"

Note: Never use msconfig to boot into "Safe Mode" when dealing with malware as this can cause boot loop.

Once you are in "Safe Mode" download Malwarebytes' Anti-Malware (MBAM). When the download dialog box comes up, before you download the program rename "mbam-setup.exe" to nike.exe, let it update and scan your system. Reboot when prompted and let your pc boot up normally.

Please post the log MBAM produces. If the report doesn't open you can obtain it by running nike.exe (MBAM) and clicking on the logs tab. Copy and paste the entire contents back here.

http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d57...

January 3, 2009 10:09:32 PM

I am able to go into Safe Mode. I've just done plain ol' Safe Mode, but I def try what you suggested and get back to you. Thank you so much :) 
Related resources
January 4, 2009 3:20:20 AM

So I ran the scanner and this is what I got:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

1/4/2009 12:07:50 AM
mbam-log-2009-01-04 (00-07-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195317
Time elapsed: 38 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 12
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ukptetyv.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d53cdd35-adda-44fa-9167-8739d72605ce} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{d53cdd35-adda-44fa-9167-8739d72605ce} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\889d08bb (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjakefubeqi (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> No action taken.

Folders Infected:
C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.

Files Infected:
C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lRAJmnpo.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\lRAJmnpo.ini2 (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\eyrdlope.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\epoldrye.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ukptetyv.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\vytetpku.ini (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\upd105320[1] (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\MH1YFM9C\upd105320[1] (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> No action taken.
C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> No action taken.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
C:\WINDOWS\Ewumanar.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSd838.tmp (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSda0d.tmp (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> No action taken.
C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> No action taken.
C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> No action taken.
C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> No action taken.
C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> No action taken.
C:\Documents and Settings\Me\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Me\Favorites\Error Cleaner.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\Me\Favorites\Privacy Protector.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\Me\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> No action taken.
January 4, 2009 4:13:29 AM

It appears from the log that you haven't selected any detections for removal.

If this is the case again boot your pc into "Safe Mode" and run the full scan. Once the scan is complete ensure you put a check mark against everything then click on "Remove Selected".

Reboot your pc and post the fresh log back here. We will move on to the next step.
January 4, 2009 5:19:03 PM

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

1/4/2009 2:12:45 PM
mbam-log-2009-01-04 (14-12-45).txt

Scan type: Full Scan (C:\|)
Objects scanned: 196202
Time elapsed: 35 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 13
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{832626fa-c460-4a29-adba-d938601cd02b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{832626fa-c460-4a29-adba-d938601cd02b} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\spyware guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\spyware guard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\889d08bb (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spywareguard (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjakefubeqi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\opnmjarl -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008 (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\quarantine (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\opnmJARl.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\lRAJmnpo.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lRAJmnpo.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eyrdlope.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\epoldrye.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ukptetyv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vytetpku.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\60KG8T7T\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\MH1YFM9C\upd105320[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Spyware Guard 2008.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Start Menu\Programs\Spyware Guard 2008\Uninstall.lnk (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\conf.cfg (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\mbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\quarantine.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\queue.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\spywareguard.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\uninstall.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\Spyware Guard 2008\vbase.vdb (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\Ewumanar.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\sysexplorer.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\TDSSd838.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\reged.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\spoolsystem.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\sys.com (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\syscert.exe (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\WINDOWS\vmreg.dll (Rogue.SpywareGuard) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\winvsnet.tmp (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\svhost.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Microsoft\Protect\track.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
January 4, 2009 10:44:51 PM

This next tool, SDFix, is designed to detect and remove any difficult trojans that have locked themselves to your system. It will also reset your hosts file.

You may want to print these instructions or copy them to a notepad document on your desktop so they can be accessed in safe mode.

IMPORTANT: Temporarily disable any Realtime protection given by Antivirus, Antispyware and script blocking etc

Refer to the link below to assess how to do this with your current security tools. If you have any questions please ask them before running the tool.

http://www.bleepingcomputer.com/forums/topic114351.html

If you have a custom hosts file you will need to re-apply your settings after you run SDFix.

Download SDFix to your desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.e...

Double click SDFix.exe on your desktop and it will extract the files to the root directory where your operating system resides.

Next boot your pc into "Safe mode" using the f8 key during start-up.

Please do not use msconfig method whenever booting into "Safe Mode" for malware removal as this can cause boot loop

1) Open the extracted SDFix folder and double click RunThis to start the script. This can be found in the root directory usually C:\SDFix.

2) Type Y to begin the cleanup process.

3) It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

4) Press any Key and it will restart the PC.

5) When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

6) Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

7) Finally paste the contents of the Report.txt back on the forum with a new HijackThis log. It can be found inside the SDFix folder on the desktop.
January 4, 2009 10:53:59 PM

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program. By default it will install to C:\Program Files\Trend Micro\HijackThis.
3. Accept the license agreement by clicking the "I Accept" button.
4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
5. Once the scan is complete a notepad document will appear on the desktop.
6. Copy and paste the contents of the entire Hijackthis Log log back here in your next reply.
7. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

http://www.trendsecure.com/portal/en-US/_download/HJTIn...
January 5, 2009 9:23:32 PM

Can I download and unpack SDFix in Safe Mode? Or do I have to do it in the normal start-up?
January 5, 2009 9:43:09 PM



Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\Me\Application Data\Adobe\crc.dat - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-05 18:35:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

disk error: C:\WINDOWS\system32\config\system, 0
scanning hidden registry entries ...

disk error: C:\WINDOWS\system32\config\software, 0
disk error: C:\Documents and Settings\Me\ntuser.dat, 0
scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan

Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Mozilla Firefox"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe"="C:\\Program Files\\Red Chair Software\\Deubox Explorer\\deumgr.exe:*:Enabled:D eubox Xtreamer"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:D NA"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 26 Aug 2008 211 A.SHR --- "C:\BOOT.BAK"
Sat 6 Jan 2007 88 A.SHR --- "C:\i386\76DA9D86CF.sys"
Sat 6 Jan 2007 3,766 A.SH. --- "C:\i386\KGyGaAvL.sys"
Wed 5 Sep 2007 0 ..SH. --- "C:\WINDOWS\S026C53D2.tmp"
Thu 1 Jan 2009 248 ..SHR --- "C:\WINDOWS\system32\76DA9D86CF.sys"
Thu 1 Jan 2009 7,518 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 25 Dec 2008 88 ..SHR --- "C:\Documents and Settings\All Users\Application Data\8C99B041E3.sys"
Thu 25 Dec 2008 2,828 A.SH. --- "C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys"
Sat 27 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 27 Aug 2008 45,568 ...H. --- "C:\Documents and Settings\Me\My Documents\~WRL0003.tmp"
Fri 20 Jun 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 5 Feb 2007 1 ..SHR --- "C:\Documents and Settings\Me\Local Settings\Temp\browshui64.dll"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch5\lock.tmp"
Wed 27 Dec 2006 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch6\lock.tmp"
Fri 16 Nov 2007 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch7\lock.tmp"

Finished!
January 5, 2009 9:45:28 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:44:50 PM, on 1/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&chann...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&chann...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&chann...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {832626FA-C460-4A29-ADBA-D938601CD02B} - C:\WINDOWS\system32\opnmJARl.dll (file missing)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: {7e0bff41-2939-646a-92d4-e23d350ad95f} - {f59da053-d32e-4d29-a646-939214ffb0e7} - C:\WINDOWS\system32\ekhyvw.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource5\Go\CTCMSGoU.exe" /SCB
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUpload...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll ekhyvw.dll
O20 - Winlogon Notify: rqRIbYQI - rqRIbYQI.dll (file missing)
O21 - SSODL: ieModule - {CC1320C2-4A2C-420B-BCE6-3E6750BFED66} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\ieModule.dll
O21 - SSODL: InternetConnection - {14E9AF0E-1D88-41D3-96F6-8018C74E92E8} - C:\Documents and Settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\srptitxdtx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10111 bytes
January 5, 2009 11:08:56 PM

Are you able to use your pc in normal mode now, or are you still getting BSOD?

January 5, 2009 11:41:54 PM

On a good note, the desktop completely loads but then goes right to the BSOD.
January 5, 2009 11:43:36 PM

I get the following Technical Info:
STOP: 0X0000008E (0XC0000005, 0XAA51D21D, OXA47747E8, 0X00000000)
January 6, 2009 1:20:33 AM

I ran the SDFix and Hijack scans again, and I'm running that Malwarebytes program you had me download again. Hopefully that will do something. If not, do you have any other ideas?
January 6, 2009 1:29:54 AM

We can continue on working in safe mode.

I needed to know because one of the final clean-up tools needs to be run in normal mode.

Open HiJackThis (HJT) and click on "Do a system scan only", navigate and put a check mark next to the entries shown in bold below.

Be sure to mark the correct entries as HJT does repairs at the registry level and an incorrect selection can cause serious damage to the operating system.

Close all open windows except for HJT and select "Fix Checked"

O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {832626FA-C460-4A29-ADBA-D938601CD02B} - C:\WINDOWS\system32\opnmJARl.dll (file missing)

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - (no file)

O2 - BHO: {7e0bff41-2939-646a-92d4-e23d350ad95f} - {f59da053-d32e-4d29-a646-939214ffb0e7} - C:\WINDOWS\system32\ekhyvw.dll

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

O20 - AppInit_DLLs: avgrsstx.dll ekhyvw.dll

O20 - Winlogon Notify: rqRIbYQI - rqRIbYQI.dll (file missing)
January 6, 2009 1:38:38 AM

I am about to leave for work so I won't be back for a few hours.

After you carefully do the fix with HJT see then if you can boot your pc up normally and let me know.

Another very good scanner you can download and run (Normal / Safe modes) is SuperAntiSpyware (SAS)

Feel free to run this in the meantime.

Download SUPERAntispyware free edition to your desktop, install then update.

Once the updates have finished click on the "Scan your computer button", ensure "perform complete scan" radio button is selected and click "next". Remove everything it finds.

http://www.superantispyware.com
January 6, 2009 9:23:43 PM

My computer won't let me install it. It says, "The system administrator has set policies to prevent this installation." What do I need to do to allow it to install?
January 6, 2009 10:18:50 PM

Good news....I'm able to start my computer now w/out safe mode. I am running that scan now w/ superantispyware.
January 6, 2009 10:43:49 PM

Excellent.

When the SAS scan has completed can you post the log back here please.

To do this open SAS again and click on preferences. In the preferences screen click on the Statistics / Logs tab at the top. Highlight the most current log and click on the "View Log..." button.

Copy / paste the contents back here with a fresh HJT log.
January 7, 2009 2:20:41 AM

I had to type this by hand on my laptop. It seems that my desktop won't connect to the internet. The wireless router is working, but the internet just won't work for the laptop. Could it have something w/ all the scans I ran? Should I re- setup my wireless router?

SUPERAntispyware Scan Log
http://www.superantispyware.com

Generated 01/06/2009 at 10:49 PM

Application version 4.24.1004

Core Rules Database version: 3697
Trace Rules Database Version: 1673

Scan Type : Complete Scan
Total Scan Time : 00:29:09

Memory items scanned : 418
Memory items detected : 0
Registry items scanned : 6186
Registry threats detected : 3
Files items scanned : 25595
File threats detected : 0

Rogue.SpywareGuard2008
HKLM\Software\Spyware Guard 2008
HKLM\Software\Spyware Guard 2008\Info
HKLM\Software\Spyware Guard 2008\Lic
January 7, 2009 11:45:52 AM

I'm confused.

Can you reword your above post to clarify please.

If the computer we are working on has lost internet connectivity we will work on fixing it, but I'm really not sure which is working and which isn't. Also are they both connected wirelessly to your router? or is the desktop connected physically.

If only the pc we are working on has lost the internet, there may be one entry that was fixed with HJT that we can roll back and fix another way that might have caused it. But before we can move ahead I need you to clarify.
January 7, 2009 12:42:33 PM

My desktop is directly connected to my wireless router. My laptop is not directly connected. My desktop is the one w/ all the problems that you have so kindly been helping me with. My laptop is fine.

The wireless router is working. My laptop, and my sister's computer are able to get internet. I hope this helps.
January 7, 2009 1:34:21 PM

Thankyou for clarifying.

The problem is likely at the desktop. Leave the router as is, we'll work on the desktop to rectify the connectivity issue.

Unfortunately when dealing with malware, when it is wounded it sometimes tries to take out legitimate processes with it.

Open HJT. When the first screen appears click on "View the list of backups". In the new window highlight this line (the whole line may not be visible, but it will be discernable):

O20 - AppInit_DLLs: avgrsstx.dll ekhyvw.dll

and click on restore.

Your AntiVirus program may alert you of this action. Ignore or allow it to continue on if it does.

==================================================

If you have a USB flash drive you can copy the reg file we are about to create from the laptop to the desktop then run it, otherwise carefully follow the instructions below.

Next minimize all windows so that you can see the desktop. Right click the desktop and select "New" then "Text Document"

Double click to open.

From the very top line copy / type the bold text below:

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
"AppInit_DLLs"="avgrsstx.dll"


There are no spaces. But you need the blank line between REGEDIT4 and [HKEY_...... Note the little dash / minus sign after =

Once you have ensured that every character and symbol are correct click on file at the top and select "Save as". Save it to your desktop. Name the file regfix.reg (regfix dot reg) and in the dropdown box next to "save as type" select "All files".

On the desktop you should now have an icon that looks like a cube with bits coming off. Right click this and select merge, when prompted to merge with the registry click yes.

Run a fresh HJT scan and post the results back here.

Also let me know if internet connectivity has returned.
January 7, 2009 1:39:32 PM

...\microsoft\windows nt\currentversio...

Sorry, one space between windows nt
January 7, 2009 2:06:33 PM

These narrow Tom's columns don't make it easy.

1st Line: REGED....
2nd Line: <blank>
3rd Line: [HKEY_LO...
4th Line: "AppI...
5th Line: "AppI...
January 7, 2009 10:41:55 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:31 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\VoiceCenter\AndreaVC.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&chann...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&chann...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Save Flash - {4064EA35-578D-4073-A834-C96D82CBCF40} - C:\Program Files\Save Flash\SaveFlash.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VoiceCenter] "C:\Program Files\Creative\VoiceCenter\AndreaVC.exe" /tray
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\Ad-Watch.exe
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [EPSON Stylus CX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE /FU "C:\WINDOWS\TEMP\E_S16D.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\docume~1\admini~1\locals~1\temp\ntdll64.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUpload...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPl...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Co...
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 11650 bytes
January 7, 2009 11:05:13 PM

Oh and still no connectivity.
January 7, 2009 11:26:03 PM

The rollback worked perfectly and you have correctly run the regfix.

Are you able to transfer files between your pcs with a USB flash drive?
January 7, 2009 11:32:10 PM

If yoare click on the link below and save to the flash drive:

http://www.cexx.org/LSPFix.exe

Once downloaded take the file to the affected pc and copy / paste it to the desktop.

Double click LSPFix.exe to run.

Let me know if you are able to connect to the internet.
January 8, 2009 12:05:27 AM

OMG you are the best! My internet is working! Should I go now and allow my computer to set Restore Dates?
January 8, 2009 1:45:26 AM

Unfortunately I have run short of time.

Leave the restore points for now.

We still need to run a couple of scans to confirm the absence of malware, do a cleanup and run one update.

Once these are done you restore points can be flushed and a new one created.
January 8, 2009 11:36:11 AM

Your Java is out of date. It needs to be updated to prevent any exploits.

Click on the link below to download Java SE Runtime Environment (JRE) 6 Update 11, it should be the first option. Select windows as your platform then check to agree to terms and continue. In this next screen select "Windows Offline Installation" and save it to your desktop.

http://java.sun.com/javase/downloads/index.jsp

Close all open windows and programs then go into control panel > Add / Remove programs. Look for and uninstall all instances of java, JRE and J2SE.

Reboot your PC and install the version of Java you downloaded to your desktop. jre-6u11-windows-i586-p.exe.







January 8, 2009 11:50:24 AM

Download ATF Cleaner to your desktop.

http://www.majorgeeks.com/ATF_Cleaner_d4949.html

Once downloaded double click to start the program. On the main screen put a check mark in "Select all" then click "Empty Selected".

Exit the program when it prompts you that it has finished.
January 8, 2009 12:05:09 PM

Heya nikegurl24,

In case you have gone right to the bottom of this thread can you begin with the Java update a couple of posts up please.

===========================================================================================

Run combofix and post the log.

Here are the instructions:

Again temporarily disable any Realtime protection given by Antivirus, Antispyware and script blocking etc

Download Combofix to your desktop.

Note: It is important that it is saved directly to your desktop

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Close any open browsers and windows except for Combofix

Double click on combofix.exe and follow the prompts.

When it's finished it will produce a log.

Post the entire contents of C:\ComboFix.txt into your next reply.

Note: Do not mouseclick combofix's window while it's running it can cause the program to freeze/hang.

In some cases your Antivirus or other realtime scanner will display an alert after you downloaded Combofix or while you use Combofix, please disable your scanners, delete the copy off the desktop and download Combofix again.

Some scanners may see some combofix related components as suspicious and block or delete them. There's nothing wrong with Combofix, heuristic detection can report this false positive because of combofixs removal technique.
January 8, 2009 7:22:16 PM

When I open ComboFix...it says there are instances of AVG and Norton running. I have AVG 8 and I don't have it running. I do not have Norton. What should I do? Should I just run ComboFix anyway?
January 8, 2009 7:28:45 PM

Oh and for some reason the clock has been switched to military time. Does that mean anything?
January 8, 2009 9:10:30 PM

Combofix changes the time format during the scan.

There is an old entry for Norton / Symantec that showed up in your HJT log. You can run the uninstaller to remove it, but we will save it for the very end.

Yes run Combofix, the log it produces is very comprehensive. Combofix should change the date format back when it has finished the run.
January 8, 2009 9:46:45 PM

Source: http://www.bleepingcomputer.com/forums/topic114351.html

Disable AVG 8
Please open the AVG 8 Control Center, by right clicking on the AVG 8 icon on task bar.
Click on Tools.
Select Advanced.
In the left hand pane, scroll down to "Resident Shield".
In the main pane, deselect the option to "Enable Resident Shield."
To re-enable AVG 8, please select "Enable Resident Shield" again.

We will run the Norton removal tool now so it doesn't interfere with our progress.


Download and run the correct version of the Norton product that was previously installed on your PC:

http://service1.symantec.com/Support/tsgeninfo.nsf/doci...


Try the ComboFix run again.
January 9, 2009 1:59:22 AM

ComboFix 09-01-08.02 - Me 2009-01-08 22:40:15.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.493 [GMT -5:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Me\Application Data\inst.exe
c:\program files\windows media player\mplayer2.exe
c:\windows\IE4 Error Log.txt
c:\windows\system32\drivers\senekaqpktkbgo.sys
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2008-12-09 to 2009-01-09 )))))))))))))))))))))))))))))))
.

2009-01-08 22:36 . 2009-01-08 22:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-01-08 13:28 . 2009-01-08 13:28 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-08 13:28 . 2009-01-08 13:28 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-06 18:50 . 2009-01-06 18:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-01-06 18:50 . 2009-01-06 18:50 <DIR> d-------- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com
2009-01-06 18:50 . 2009-01-06 18:50 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-05 18:44 . 2009-01-05 18:44 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 18:23 . 2009-01-05 18:23 578,560 --a------ c:\windows\system32\dllcache\user32.dll
2009-01-05 18:18 . 2009-01-05 18:18 <DIR> d-------- c:\windows\ERUNT
2009-01-05 18:16 . 2009-01-06 19:48 <DIR> d-------- C:\SDFix
2009-01-05 10:32 . 2009-01-05 10:32 <DIR> d-------- c:\documents and settings\Me\Application Data\Malwarebytes
2009-01-04 14:58 . 2009-01-04 14:58 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Corel
2009-01-03 19:15 . 2009-01-03 19:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-03 19:15 . 2009-01-03 19:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-03 19:15 . 2009-01-03 19:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-03 19:15 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-03 19:15 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 22:59 . 2009-01-02 22:59 <DIR> d-------- C:\b2beff07c30af33b763750
2009-01-02 22:57 . 2009-01-02 22:58 <DIR> d-------- C:\XPSP3
2009-01-02 22:33 . 2009-01-02 22:33 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Apple Computer
2009-01-02 11:49 . 2009-01-02 11:49 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-01-02 11:25 . 2009-01-02 13:44 <DIR> d-------- C:\XPSP2
2009-01-02 11:25 . 2009-01-02 11:35 <DIR> d-------- C:\XPCD
2009-01-02 01:45 . 2006-12-27 10:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec
2009-01-02 01:45 . 2006-12-27 10:21 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2009-01-02 01:45 . 2006-12-27 10:24 <DIR> d--h----- c:\documents and settings\Administrator\Application Data\Gtek
2009-01-02 01:45 . 2006-12-27 10:29 <DIR> d-------- c:\documents and settings\Administrator\Application Data\ATI
2009-01-02 01:45 . 2009-01-03 14:44 <DIR> d-------- c:\documents and settings\Administrator
2008-12-18 07:23 . 2008-12-18 07:23 103,360 --a------ c:\windows\system32\drivers\AnyDVD.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-09 03:46 --------- d-----w c:\program files\DNA
2009-01-09 03:46 --------- d-----w c:\documents and settings\Me\Application Data\DNA
2009-01-09 03:37 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-08 18:28 --------- d-----w c:\program files\Java
2009-01-08 04:42 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-02 05:21 --------- d-----w c:\documents and settings\Me\Application Data\BitTorrent
2009-01-02 01:24 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-01 17:05 --------- d-----w c:\documents and settings\Me\Application Data\Corel
2008-12-31 17:00 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-12-25 19:27 2,828 --sha-w c:\documents and settings\All Users\Application Data\KGyGaAvL.sys
2008-12-25 19:24 88 --sh--r c:\documents and settings\All Users\Application Data\8C99B041E3.sys
2008-12-19 16:04 --------- d-----w c:\documents and settings\Me\Application Data\Tunebite
2008-12-10 08:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-07 05:49 --------- d-----w c:\program files\iTunes
2008-12-07 05:49 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-07 05:48 --------- d-----w c:\program files\iPod
2008-12-07 05:48 --------- d-----w c:\program files\Common Files\Apple
2008-12-07 05:47 --------- d-----w c:\program files\QuickTime
2008-11-22 01:41 --------- d-----w c:\documents and settings\Me\Application Data\Alien Skin
2008-11-22 00:01 --------- d-----w c:\program files\Common Files\Corel
2008-11-22 00:00 --------- d-----w c:\program files\Corel
2008-11-22 00:00 --------- d-----w c:\program files\Common Files\Protexis
2008-11-22 00:00 --------- d-----w c:\documents and settings\All Users\Application Data\Corel
2008-11-21 22:24 --------- d-----w c:\program files\Alien Skin
2008-07-04 02:09 47,360 ----a-w c:\documents and settings\Me\Application Data\pcouffin.sys
2007-05-13 17:04 87,608 ----a-w c:\documents and settings\Me\Application Data\ezpinst.exe
2007-04-30 21:16 476,752 ----a-w c:\documents and settings\All Users\Application Data\pswi_preloaded.exe
2007-01-26 02:54 124 ----a-w c:\documents and settings\Me\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-28 395776]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 1871872]
"EPSON Stylus CX7400 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE" [2007-02-15 179200]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-16 342848]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-12-22 1830128]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2006-02-16 1118208]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-12-27 26112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-05-25 393216]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\Ad-Watch.exe" [2008-08-24 2468200]
"Corel File Shell Monitor"="c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe" [2008-08-18 16712]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Corel Photo Downloader"="c:\program files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" [2008-08-18 532808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-08 136600]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 c:\windows\stsystra.exe]
"MBMon"="CTMBHA.DLL" [2006-06-29 c:\windows\system32\CTMBHA.DLL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-23 97928]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-12-22 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-12-22 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-12-22 7408]
R4 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\program files\CyberLink\PowerDVD\000.fcl [2008-04-16 17:47:39 13560]
R4 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-07-05 875288]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-07-05 231704]
R4 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-05-23 76040]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-02-18 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-09 c:\windows\Tasks\ptngofmu.job
- c:\windows\system32\rundll32.exe [2008-04-13 19:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.sbc.com/dsl
mStart Page = hxxp://www.yahoo.com/?.home=ytie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\umhsj9r3.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.sbc.com/dsl
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\umhsj9r3.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", true);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-08 22:46:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CC1320C2-4A2C-420B-BCE6-3E6750BFED66}\InprocServer32]
@DACL=(02 0000)
@="c:\\Documents and Settings\\All Users\\Application Data\\Microsoft\\Internet Explorer\\DLLs\\ieModule.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\software\Spyware Guard 2008\Info]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Spyware Guard 2008\Lic]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\docume~1\Me\LOCALS~1\Temp\clclean.0001
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-01-08 22:52:24 - machine was rebooted [Me]
ComboFix-quarantined-files.txt 2009-01-09 03:52:21

Pre-Run: 74,065,006,592 bytes free
Post-Run: 74,072,891,392 bytes free

245 --- E O F --- 2008-12-18 08:02:03
January 10, 2009 12:20:18 PM

There are a couple of files that need to be looked at.

The folder options can be reverted back to their original settings once the scan results are posted

Go into Control Panel > Folder Options and click on the "View" tab at the top of the window. In here click on the "Shoe hidden files and folders" radio button and uncheck "Hide protected operating system files (recommended)". Allow the changes when prompted.

Go to either of the 2 sites linked below:

http://virusscan.jotti.org/

or

http://www.virustotal.com/

Once there, next to the browse button on the webpage copy and paste the file path (bolded) into the white box and submit. Please submit only one at a time. Once the scan has completed copy / paste the results back here.

c:\documents and settings\All Users\Application Data\8C99B041E3.sys

C:\b2beff07c30af33b763750
January 10, 2009 1:18:20 PM

File: 8C99B041E3.sys
Status: OK
MD5: 25979e3bf09b1b2f1e0dc5616bfe60fa
Packers detected:
-

Scan taken on 10 Jan 2009 15:15:14 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
January 10, 2009 1:30:08 PM

I am not able to upload that last file onto either of the sites. There are 2 files in that folder you had be browse...there is a i386 folder and $shtdwn$.req
It says that I can't scan the i386 folder b/c it's empty and that when I click on the other it says "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
January 10, 2009 1:33:53 PM

OK that's fine. It appears to be a legitimate folder. If it's not an online scan will detect if it's not.

You have done really well and we are now at the business end of the process. It's time to clean up some of the tools we used.

January 10, 2009 1:37:45 PM

Awesome. I really can't thank you enough for all the help you've given me. It is appreciated more than you know :-)
January 10, 2009 2:27:38 PM

Your logs are all clean except for one little issue I'm not too concerned about.

SuperAntiSpyware(SAS) detected registry entries that were picked up by ComboFix. These aren't a concern as the body of the malware has been taken care of.

Can you run SAS again and have it fix these registry entries, they belonged to Spyware Guard 2008. You can also run the scan in safe mode to increase the chance of removal.

OK time for clean up.

==========

Viewpoint has shown on your logs (this wasn't responsible for the PC instability). Viewpoint is not considered malware but rather foistware as it installs on your PC without your knowledge / consent and has running processes in the background. It is adviseable to remove.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove any of the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

==========

SDFix: Delete anything downloaded to your desktop and delete the folder at the root of your operating system. C:\SDFix

==========

HijackThis: Delete anything downloaded to your desktop and remove with control panel "Add / Remove Programs"

==========

ComboFix: Copy the bolded text below:

combofix /u

Click on "Start" > "Run" and paste the text into the box and hit enter.

==========

regfix.reg: Delete from the desktop.

==========

LSPFix.exe: Delete from the desktop.

==========

Java: If it is still there you can delete the Java setup file from the desktop, jre-6u11-windows-i586-p.exe

==========
OPTIONAL
==========

ATF Cleaner: Excellent for keeping temporary files to a minimum. Doesn't use system processes as it is an on call cleaner. Delete from the desktop if you don't need it.

==========

Malwarebytes' Anti-Malware: On call Malware removal tool. Doesn't run on startup. Can be updated and run periodically. Delete anything downloaded to your desktop and remove via control panel "Add / remove programs" if unwanted.

==========

SUPERAntiSpyware: On call Antispyware removal tool. Runs on startup to protect homepage (if selected) and add right click scan functionality. Can be removed from startup and used as an on call scanner. Delete anything downloaded to your desktop remove via control panel "Add / remove programs" if unwanted.

==========

System Restore

Flush your system restore and set a new restore point.

Click on "Start" > "All Programs" > "Accessories" > "System Tools" > "System Restore".

On the left side of the window click on "System Restore Settings" then put a check mark in "Turn off System Restore on all drives", allow it to continue when prompted.

Reboot your PC then turn system restore back on.
January 10, 2009 2:54:19 PM

I should add, it important to follow the System Restore step. Malware can hide in system restore and reintroduce itself. Shouldn't have posted it under "Optional".

Last but not least. The online scan.

Eset will detect for anymore infections and perform a cleanup process. Don't be concerned if it finds infected files, some of the tools we used detect active files and don't perform complete checks for dormant files. This scan is very indepth and has the most up-to-date virus defintion signature database.

Please click on the link and follow the steps below:

1. Go here http://www.eset.com/onlinescan/
2. Agree to the terms and conditions
3. Click "Start"
4. When you see the security warning install and run "OnlineScanner.cab" click yes.
5. Click "Start"
6. To do a full-scan tick: "Remove found threats" and "Scan potentially unwanted applications"
7. Click "Scan". This process will likely take a while
8. Once the scan has finished close the window
9. Next click "Start" > "Run" and copy the bolded text below into the run box and hit enter.

C:\Program Files\EsetOnlineScanner\log.txt

10. A notepad document will open, copy / paste its entire contents back here.

IMPORTANT: Ensure you have reinitiated AVG8 and it is no longer disabled
January 10, 2009 3:31:26 PM

I'm running the scan now. When I went I restarted my computer after I turned off system restore, I got the BSOD again. I got those "your computer just had a severe error click to send the error logs" I sent them and got this message:

"Corrupted error report"
Unfortunately, the error report you submitted is corrupted and cannot be analyzed. Corrupted error reports are rare. They can be caused by hardware or software problems, and they usually indicate a serious problem with your computer.

The scanner is almost done running now, so I'll be posting that info shortly.
January 10, 2009 3:41:39 PM

I need to see what the scan produces. We may need to run a system file checker.
!