Cont. from windows xp forum. Thanks for your suggestions guys. I was unable to change the permission/pocessions from safe mode. I also tried to copy the file from one location to the other in safe mode prompt. That was unsuccessful also. Im pretty sure if I can get the good explorer.exe copied over the bad explorer.exe, it would boot up with the taskbar and desktop icons. Any other thoughts? Mike

hi

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :filefind
  *explorer.exe*
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Hello. Attached is the requested log file. Good luck. Mike

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 16:34 on 06/11/2009 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*explorer.exe*"
C:\Documents and Settings\Owner\Desktop\Shortcut to explorer.exe.lnk --a--- 755 bytes [03:19 06/11/2009] [03:19 06/11/2009] 410E6C18F70E3F8B35AD7D3C2A3F0776
C:\WINDOWS\explorer.exe --a--- 1033216 bytes [16:49 13/04/2004] [10:23 13/06/2007] (Unable to calculate MD5)
C:\WINDOWS\Prefetch\EXPLORER.EXE-37F6D117.pf --a--- 81084 bytes [23:33 05/11/2009] [16:56 06/11/2009] D0D77B973637A7A006655CC56D66BE4E
C:\WINDOWS\ServicePackFiles\i386\explorer.exe --a--- 1032192 bytes [07:56 04/08/2004] [07:56 04/08/2004] A0732187050030AE399B241436565E64
C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe --a--- 1033216 bytes [21:07 30/10/2009] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87
C:\WINDOWS\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe --a--- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe --a--- 1033728 bytes [20:00 03/09/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\system32\dllcache\explorer.exe --a--- 1033216 bytes [16:28 04/09/2008] [10:23 13/06/2007] 97BD6515465659FF8F3B7BE375B2EA87

-=End Of File=-

okie dokie, should be easy to fix

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Hi! Here's the ComboFix log

ComboFix 09-11-05.05 - Owner 11/06/2009 16:48.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1067 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1356 [VPS 091106-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\NORTON~1.EXE

.
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.

2009-11-04 17:26 . 2009-11-04 17:26 -------- d-----w- C:\fixpolicy
2009-11-04 17:25 . 2009-11-04 17:25 185065 ----a-w- C:\FixPolicies.exe
2009-11-04 17:12 . 2004-07-17 03:42 176128 ----a-w- C:\TaskbarRepairToolPlus!.exe
2009-11-04 13:57 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-04 13:47 . 2009-11-04 13:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-04 13:45 . 2009-11-04 13:45 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-04 13:44 . 2009-11-05 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-04 13:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 13:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 13:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-02 23:00 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 23:00 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 18:07 . 2009-11-02 18:07 472064 ----a-w- C:\RootRepeal.exe
2009-11-02 02:47 . 2009-11-02 02:48 -------- d-----w- c:\documents and settings\Owner\Application Data\PKWARE
2009-11-02 02:47 . 2009-11-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2009-11-02 02:46 . 2009-11-02 02:46 -------- d-----w- c:\program files\PKWARE
2009-11-02 02:46 . 2009-11-02 02:46 -------- d-----w- c:\program files\Common Files\PKWARE
2009-11-02 02:38 . 2009-11-02 02:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-11-02 02:36 . 2009-11-02 02:37 17570480 ----a-w- C:\pkz124016en.exe
2009-11-01 00:43 . 2009-11-02 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 02:53 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-31 02:53 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-31 02:53 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-31 02:53 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-31 02:53 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-31 02:53 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-31 02:53 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-31 02:53 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-31 02:53 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-31 02:52 . 2009-10-31 02:52 -------- d-----w- c:\program files\Alwil Software
2009-10-31 02:50 . 2009-10-31 14:28 308160 ----a-w- C:\avast_home_setup.exe
2009-10-30 21:15 . 2009-10-30 21:16 -------- d-----w- c:\program files\ERUNT
2009-10-30 21:14 . 2009-10-30 21:14 791393 ----a-w- C:\erunt_setup.exe
2009-10-30 18:12 . 2009-10-30 18:12 21504 ----a-w- C:\SysRestorePoint.exe
2009-10-30 18:08 . 2009-11-02 22:47 271872 ----a-w- C:\TFC.exe
2009-10-14 02:07 . 2009-10-14 02:07 -------- d-----w- c:\program files\Mortal Kombat
2009-10-11 04:33 . 2009-10-11 04:33 -------- d-----w- c:\documents and settings\Josiah\Application Data\AskToolbar
2009-10-11 04:33 . 2009-10-26 20:39 -------- d-----w- c:\documents and settings\Josiah\Local Settings\Application Data\AskToolbar
2009-10-08 02:08 . 2009-10-08 02:08 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 16:01 . 2006-09-26 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-11-05 22:44 . 2004-04-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-05 22:35 . 2004-09-04 16:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-04 14:39 . 2004-08-26 15:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-04 03:54 . 2009-04-22 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-10-30 02:10 . 2009-01-04 18:44 -------- d-----w- c:\program files\Unity
2009-10-30 02:09 . 2009-10-02 14:02 -------- d-----w- c:\program files\Ask.com
2009-10-26 21:52 . 2008-11-04 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-25 01:16 . 2008-03-09 15:17 -------- d-----w- c:\documents and settings\Josiah\Application Data\Azureus
2009-10-17 01:04 . 2008-03-09 15:14 -------- d-----w- c:\program files\Azureus
2009-10-16 03:05 . 2004-08-29 02:48 -------- d-----w- c:\program files\Auction Sentry
2009-10-10 14:26 . 2005-12-28 20:10 -------- d-----w- c:\documents and settings\Josiah\Application Data\Apple Computer
2009-10-09 01:48 . 2007-01-22 16:57 132496 ----a-w- c:\documents and settings\Mason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 23:39 . 2007-04-30 02:07 132496 ----a-w- c:\documents and settings\Josiah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 21:18 . 2005-01-29 20:50 132496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 15:09 . 2004-04-02 22:27 -------- d-----w- c:\program files\Microsoft Works
2009-09-29 13:48 . 2009-09-29 13:48 -------- d-----w- c:\program files\ITI
2009-09-29 01:58 . 2006-01-22 19:46 -------- d-----w- c:\program files\Creative
2009-09-29 01:41 . 2009-09-26 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-09-29 01:39 . 2005-09-26 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-29 01:35 . 2007-12-24 22:49 -------- d-----w- c:\program files\AVS4YOU
2009-09-29 01:34 . 2009-03-02 02:29 -------- d-----w- c:\program files\Catan GmbH
2009-09-29 01:32 . 2004-04-02 22:20 -------- d-----w- c:\program files\IntelliMover Data Transfer Demo
2009-09-29 01:32 . 2004-04-02 22:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 01:29 . 2004-09-13 12:47 -------- d-----w- c:\program files\Palm
2009-09-28 23:14 . 2009-09-26 15:07 -------- d-----w- c:\program files\Electronic Arts
2009-09-28 23:04 . 2009-09-28 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-28 16:36 . 2007-06-08 01:45 -------- d-----w- c:\program files\Pinnacle
2009-09-27 18:48 . 2009-09-27 18:48 -------- d-----w- c:\program files\AskSearch
2009-09-26 18:25 . 2004-08-25 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-25 05:56 . 2006-06-23 15:33 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-24 03:19 . 2009-09-24 03:17 -------- d-----w- c:\program files\iTunes
2009-09-24 03:19 . 2009-09-24 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-24 03:18 . 2009-09-24 03:18 -------- d-----w- c:\program files\iPod
2009-09-24 03:18 . 2009-07-26 22:05 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 03:14 . 2009-09-24 03:13 -------- d-----w- c:\program files\QuickTime
2009-09-24 03:05 . 2009-09-24 03:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-24 03:04 . 2009-09-24 03:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-23 15:15 . 2009-09-23 15:15 -------- d-----w- c:\program files\MSBuild
2009-09-23 15:15 . 2009-09-23 15:15 -------- d-----w- c:\program files\Reference Assemblies
2009-09-23 15:03 . 2009-09-23 15:03 -------- d-----w- c:\program files\MSXML 6.0
2009-09-23 01:18 . 2009-09-23 01:18 -------- d-----w- c:\documents and settings\Josiah\Application Data\NewSoft
2009-09-21 23:44 . 2009-09-21 23:44 10134 ----a-r- c:\documents and settings\Josiah\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-09-21 23:44 . 2009-09-21 23:44 -------- d-----w- c:\program files\Microsoft WSE
2009-09-20 02:05 . 2009-09-20 02:05 45 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences2.dat
2009-09-20 02:05 . 2008-09-10 00:35 37 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences.dat
2009-09-19 11:57 . 2004-04-02 22:07 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-15 02:25 . 2009-04-23 01:31 -------- d-----w- c:\documents and settings\Mason\Application Data\U3
2009-09-11 14:33 . 2008-09-04 16:28 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-04-02 18:41 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-04-13 16:20 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-03-04 02:10 . 2007-12-24 23:00 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-4-2 16384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=c:\windows\pss\PKZIP Attachments Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Josiah\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42917:TCP"= 42917:TCP:BitTorrent
"42917:UDP"= 42917:UDP:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/30/2009 9:53 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/30/2009 9:53 PM 20560]
S2 ASEService;Aluria Spyware Eliminator Service;c:\progra~1\ALURIA~1\ASE\ASEServ.exe --> c:\progra~1\ALURIA~1\ASE\ASEServ.exe [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cme.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.cme.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 16:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7481F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a7481f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.swf]
@DACL=(02 0000)
@="ShockwaveFlash.ShockwaveFlash"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp]
@DACL=(02 0000)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp.1]
@DACL=(02 0000)
@="FlashProp Class"
.
Completion time: 2009-11-06 17:02
ComboFix-quarantined-files.txt 2009-11-06 22:01

Pre-Run: 41,042,833,408 bytes free
Post-Run: 41,206,009,856 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=,1,2,3,4,5
- - End Of File - - 9D291DDC58AB1228C124559EC64625EB

hi


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:



Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Hello. Here is the combofix log to your taylored request. Good luck. Mike

ComboFix 09-11-05.05 - Owner 11/06/2009 21:31.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1044 [GMT -5:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: c:\combofix\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091106-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-04 17:26 . 2009-11-04 17:26 -------- d-----w- C:\fixpolicy
2009-11-04 17:25 . 2009-11-04 17:25 185065 ----a-w- C:\FixPolicies.exe
2009-11-04 17:12 . 2004-07-17 03:42 176128 ----a-w- C:\TaskbarRepairToolPlus!.exe
2009-11-04 13:57 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-04 13:47 . 2009-11-04 13:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-04 13:45 . 2009-11-04 13:45 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-04 13:44 . 2009-11-05 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-04 13:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 13:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 13:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-02 23:00 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 23:00 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 18:07 . 2009-11-02 18:07 472064 ----a-w- C:\RootRepeal.exe
2009-11-02 02:47 . 2009-11-02 02:48 -------- d-----w- c:\documents and settings\Owner\Application Data\PKWARE
2009-11-02 02:47 . 2009-11-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2009-11-02 02:46 . 2009-11-02 02:46 -------- d-----w- c:\program files\PKWARE
2009-11-02 02:46 . 2009-11-02 02:46 -------- d-----w- c:\program files\Common Files\PKWARE
2009-11-02 02:38 . 2009-11-02 02:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-11-02 02:36 . 2009-11-02 02:37 17570480 ----a-w- C:\pkz124016en.exe
2009-11-01 00:43 . 2009-11-02 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 02:53 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-31 02:53 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-31 02:53 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-31 02:53 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-31 02:53 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-31 02:53 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-31 02:53 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-31 02:53 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-31 02:53 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-31 02:52 . 2009-10-31 02:52 -------- d-----w- c:\program files\Alwil Software
2009-10-31 02:50 . 2009-10-31 14:28 308160 ----a-w- C:\avast_home_setup.exe
2009-10-30 21:15 . 2009-10-30 21:16 -------- d-----w- c:\program files\ERUNT
2009-10-30 21:14 . 2009-10-30 21:14 791393 ----a-w- C:\erunt_setup.exe
2009-10-30 18:12 . 2009-10-30 18:12 21504 ----a-w- C:\SysRestorePoint.exe
2009-10-30 18:08 . 2009-11-02 22:47 271872 ----a-w- C:\TFC.exe
2009-10-14 02:07 . 2009-10-14 02:07 -------- d-----w- c:\program files\Mortal Kombat
2009-10-11 04:33 . 2009-10-11 04:33 -------- d-----w- c:\documents and settings\Josiah\Application Data\AskToolbar
2009-10-11 04:33 . 2009-10-26 20:39 -------- d-----w- c:\documents and settings\Josiah\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 16:01 . 2006-09-26 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-11-05 22:44 . 2004-04-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-05 22:35 . 2004-09-04 16:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-04 14:39 . 2004-08-26 15:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-04 03:54 . 2009-04-22 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-10-30 02:10 . 2009-01-04 18:44 -------- d-----w- c:\program files\Unity
2009-10-30 02:09 . 2009-10-02 14:02 -------- d-----w- c:\program files\Ask.com
2009-10-26 21:52 . 2008-11-04 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-25 01:16 . 2008-03-09 15:17 -------- d-----w- c:\documents and settings\Josiah\Application Data\Azureus
2009-10-17 01:04 . 2008-03-09 15:14 -------- d-----w- c:\program files\Azureus
2009-10-16 03:05 . 2004-08-29 02:48 -------- d-----w- c:\program files\Auction Sentry
2009-10-10 14:26 . 2005-12-28 20:10 -------- d-----w- c:\documents and settings\Josiah\Application Data\Apple Computer
2009-10-09 01:48 . 2007-01-22 16:57 132496 ----a-w- c:\documents and settings\Mason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 23:39 . 2007-04-30 02:07 132496 ----a-w- c:\documents and settings\Josiah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 21:18 . 2005-01-29 20:50 132496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 15:09 . 2004-04-02 22:27 -------- d-----w- c:\program files\Microsoft Works
2009-09-29 13:48 . 2009-09-29 13:48 -------- d-----w- c:\program files\ITI
2009-09-29 01:58 . 2006-01-22 19:46 -------- d-----w- c:\program files\Creative
2009-09-29 01:41 . 2009-09-26 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-09-29 01:39 . 2005-09-26 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-29 01:35 . 2007-12-24 22:49 -------- d-----w- c:\program files\AVS4YOU
2009-09-29 01:34 . 2009-03-02 02:29 -------- d-----w- c:\program files\Catan GmbH
2009-09-29 01:32 . 2004-04-02 22:20 -------- d-----w- c:\program files\IntelliMover Data Transfer Demo
2009-09-29 01:32 . 2004-04-02 22:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 01:29 . 2004-09-13 12:47 -------- d-----w- c:\program files\Palm
2009-09-28 23:14 . 2009-09-26 15:07 -------- d-----w- c:\program files\Electronic Arts
2009-09-28 23:04 . 2009-09-28 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-28 16:36 . 2007-06-08 01:45 -------- d-----w- c:\program files\Pinnacle
2009-09-27 18:48 . 2009-09-27 18:48 -------- d-----w- c:\program files\AskSearch
2009-09-26 18:25 . 2004-08-25 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-25 05:56 . 2006-06-23 15:33 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-24 03:19 . 2009-09-24 03:17 -------- d-----w- c:\program files\iTunes
2009-09-24 03:19 . 2009-09-24 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-24 03:18 . 2009-09-24 03:18 -------- d-----w- c:\program files\iPod
2009-09-24 03:18 . 2009-07-26 22:05 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 03:14 . 2009-09-24 03:13 -------- d-----w- c:\program files\QuickTime
2009-09-24 03:05 . 2009-09-24 03:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-24 03:04 . 2009-09-24 03:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-23 15:15 . 2009-09-23 15:15 -------- d-----w- c:\program files\MSBuild
2009-09-23 15:15 . 2009-09-23 15:15 -------- d-----w- c:\program files\Reference Assemblies
2009-09-23 15:03 . 2009-09-23 15:03 -------- d-----w- c:\program files\MSXML 6.0
2009-09-23 01:18 . 2009-09-23 01:18 -------- d-----w- c:\documents and settings\Josiah\Application Data\NewSoft
2009-09-21 23:44 . 2009-09-21 23:44 10134 ----a-r- c:\documents and settings\Josiah\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-09-21 23:44 . 2009-09-21 23:44 -------- d-----w- c:\program files\Microsoft WSE
2009-09-20 02:05 . 2009-09-20 02:05 45 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences2.dat
2009-09-20 02:05 . 2008-09-10 00:35 37 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences.dat
2009-09-19 11:57 . 2004-04-02 22:07 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-15 02:25 . 2009-04-23 01:31 -------- d-----w- c:\documents and settings\Mason\Application Data\U3
2009-09-11 14:33 . 2008-09-04 16:28 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-04-02 18:41 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-04-13 16:20 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-03-04 02:10 . 2007-12-24 23:00 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-4-2 16384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=c:\windows\pss\PKZIP Attachments Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Josiah\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42917:TCP"= 42917:TCP:BitTorrent
"42917:UDP"= 42917:UDP:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/30/2009 9:53 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/30/2009 9:53 PM 20560]
S2 ASEService;Aluria Spyware Eliminator Service;c:\progra~1\ALURIA~1\ASE\ASEServ.exe --> c:\progra~1\ALURIA~1\ASE\ASEServ.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cme.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.cme.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7481F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a7481f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.swf]
@DACL=(02 0000)
@="ShockwaveFlash.ShockwaveFlash"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp]
@DACL=(02 0000)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp.1]
@DACL=(02 0000)
@="FlashProp Class"
.
Completion time: 2009-11-07 21:40
ComboFix-quarantined-files.txt 2009-11-07 02:39
ComboFix2.txt 2009-11-07 02:20
ComboFix3.txt 2009-11-06 22:02

Pre-Run: 41,185,218,560 bytes free
Post-Run: 41,169,473,536 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=,1,2,3,4,5
- - End Of File - - 339E2BB019CC9507D07731E4A61BEA86

did you have a problem doing that ? It looks like it didn't work properly

can you try it again

This is from yesterdays. I went into ComboFix.text again and copied this, which looks different. Is this it or do you want another log?

Sorry, Mike


ComboFix 09-11-05.05 - Owner 11/06/2009 21:31.5.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1471.1044 [GMT -5:00]
Running from: c:\combofix\ComboFix.exe
Command switches used :: c:\combofix\CFScript.txt
AV: avast! antivirus 4.8.1356 [VPS 091106-2] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((( Files Created from 2009-10-07 to 2009-11-07 )))))))))))))))))))))))))))))))
.

2009-11-04 17:26 . 2009-11-04 17:26 -------- d-----w- C:\fixpolicy
2009-11-04 17:25 . 2009-11-04 17:25 185065 ----a-w- C:\FixPolicies.exe
2009-11-04 17:12 . 2004-07-17 03:42 176128 ----a-w- C:\TaskbarRepairToolPlus!.exe
2009-11-04 13:57 . 2009-10-10 07:07 38208 ----a-w- c:\documents and settings\Owner\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-11-04 13:47 . 2009-11-04 13:47 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-04 13:45 . 2009-11-04 13:45 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-04 13:44 . 2009-11-05 14:11 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-04 13:44 . 2009-09-23 21:37 34112 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg_bootstrap.exe
2009-11-04 13:44 . 2009-09-23 21:37 32448 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
2009-11-04 13:44 . 2009-09-23 21:37 22352 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\chrome\content\getPlusPlus_Adobe_reg.exe
2009-11-02 23:00 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 23:00 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 18:07 . 2009-11-02 18:07 472064 ----a-w- C:\RootRepeal.exe
2009-11-02 02:47 . 2009-11-02 02:48 -------- d-----w- c:\documents and settings\Owner\Application Data\PKWARE
2009-11-02 02:47 . 2009-11-02 02:47 -------- d-----w- c:\documents and settings\All Users\Application Data\PKWARE
2009-11-02 02:46 . 2009-11-02 02:46 -------- d-----w- c:\program files\PKWARE
2009-11-02 02:46 . 2009-11-02 02:46 -------- d-----w- c:\program files\Common Files\PKWARE
2009-11-02 02:38 . 2009-11-02 02:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-11-02 02:36 . 2009-11-02 02:37 17570480 ----a-w- C:\pkz124016en.exe
2009-11-01 00:43 . 2009-11-02 23:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-31 02:53 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-10-31 02:53 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-10-31 02:53 . 2009-09-15 10:53 27408 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-10-31 02:53 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-10-31 02:53 . 2009-09-15 10:56 93424 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-10-31 02:53 . 2009-09-15 10:56 94160 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-10-31 02:53 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-10-31 02:53 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-10-31 02:53 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2009-10-31 02:52 . 2009-10-31 02:52 -------- d-----w- c:\program files\Alwil Software
2009-10-31 02:50 . 2009-10-31 14:28 308160 ----a-w- C:\avast_home_setup.exe
2009-10-30 21:15 . 2009-10-30 21:16 -------- d-----w- c:\program files\ERUNT
2009-10-30 21:14 . 2009-10-30 21:14 791393 ----a-w- C:\erunt_setup.exe
2009-10-30 18:12 . 2009-10-30 18:12 21504 ----a-w- C:\SysRestorePoint.exe
2009-10-30 18:08 . 2009-11-02 22:47 271872 ----a-w- C:\TFC.exe
2009-10-14 02:07 . 2009-10-14 02:07 -------- d-----w- c:\program files\Mortal Kombat
2009-10-11 04:33 . 2009-10-11 04:33 -------- d-----w- c:\documents and settings\Josiah\Application Data\AskToolbar
2009-10-11 04:33 . 2009-10-26 20:39 -------- d-----w- c:\documents and settings\Josiah\Local Settings\Application Data\AskToolbar

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-06 16:01 . 2006-09-26 17:32 -------- d-----w- c:\documents and settings\All Users\Application Data\Napster
2009-11-05 22:44 . 2004-04-03 02:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-11-05 22:35 . 2004-09-04 16:10 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-04 14:39 . 2004-08-26 15:14 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-11-04 03:54 . 2009-04-22 19:26 -------- d-----w- c:\documents and settings\Owner\Application Data\U3
2009-10-30 02:10 . 2009-01-04 18:44 -------- d-----w- c:\program files\Unity
2009-10-30 02:09 . 2009-10-02 14:02 -------- d-----w- c:\program files\Ask.com
2009-10-26 21:52 . 2008-11-04 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-10-25 01:16 . 2008-03-09 15:17 -------- d-----w- c:\documents and settings\Josiah\Application Data\Azureus
2009-10-17 01:04 . 2008-03-09 15:14 -------- d-----w- c:\program files\Azureus
2009-10-16 03:05 . 2004-08-29 02:48 -------- d-----w- c:\program files\Auction Sentry
2009-10-10 14:26 . 2005-12-28 20:10 -------- d-----w- c:\documents and settings\Josiah\Application Data\Apple Computer
2009-10-09 01:48 . 2007-01-22 16:57 132496 ----a-w- c:\documents and settings\Mason\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 23:39 . 2007-04-30 02:07 132496 ----a-w- c:\documents and settings\Josiah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-07 21:18 . 2005-01-29 20:50 132496 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 15:09 . 2004-04-02 22:27 -------- d-----w- c:\program files\Microsoft Works
2009-09-29 13:48 . 2009-09-29 13:48 -------- d-----w- c:\program files\ITI
2009-09-29 01:58 . 2006-01-22 19:46 -------- d-----w- c:\program files\Creative
2009-09-29 01:41 . 2009-09-26 22:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-09-29 01:39 . 2005-09-26 23:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-09-29 01:35 . 2007-12-24 22:49 -------- d-----w- c:\program files\AVS4YOU
2009-09-29 01:34 . 2009-03-02 02:29 -------- d-----w- c:\program files\Catan GmbH
2009-09-29 01:32 . 2004-04-02 22:20 -------- d-----w- c:\program files\IntelliMover Data Transfer Demo
2009-09-29 01:32 . 2004-04-02 22:17 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-29 01:29 . 2004-09-13 12:47 -------- d-----w- c:\program files\Palm
2009-09-28 23:14 . 2009-09-26 15:07 -------- d-----w- c:\program files\Electronic Arts
2009-09-28 23:04 . 2009-09-28 23:04 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2009-09-28 16:36 . 2007-06-08 01:45 -------- d-----w- c:\program files\Pinnacle
2009-09-27 18:48 . 2009-09-27 18:48 -------- d-----w- c:\program files\AskSearch
2009-09-26 18:25 . 2004-08-25 21:57 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-09-25 05:56 . 2006-06-23 15:33 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-04 07:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-24 03:19 . 2009-09-24 03:17 -------- d-----w- c:\program files\iTunes
2009-09-24 03:19 . 2009-09-24 03:17 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-09-24 03:18 . 2009-09-24 03:18 -------- d-----w- c:\program files\iPod
2009-09-24 03:18 . 2009-07-26 22:05 -------- d-----w- c:\program files\Common Files\Apple
2009-09-24 03:14 . 2009-09-24 03:13 -------- d-----w- c:\program files\QuickTime
2009-09-24 03:05 . 2009-09-24 03:05 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.1.8\SetupAdmin.exe
2009-09-24 03:04 . 2009-09-24 03:04 -------- d-----w- c:\program files\iPhone Configuration Utility
2009-09-23 15:15 . 2009-09-23 15:15 -------- d-----w- c:\program files\MSBuild
2009-09-23 15:15 . 2009-09-23 15:15 -------- d-----w- c:\program files\Reference Assemblies
2009-09-23 15:03 . 2009-09-23 15:03 -------- d-----w- c:\program files\MSXML 6.0
2009-09-23 01:18 . 2009-09-23 01:18 -------- d-----w- c:\documents and settings\Josiah\Application Data\NewSoft
2009-09-21 23:44 . 2009-09-21 23:44 10134 ----a-r- c:\documents and settings\Josiah\Application Data\Microsoft\Installer\{E3E71D07-CD27-46CB-8448-16D4FB29AA13}\ARPPRODUCTICON.exe
2009-09-21 23:44 . 2009-09-21 23:44 -------- d-----w- c:\program files\Microsoft WSE
2009-09-20 02:05 . 2009-09-20 02:05 45 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences2.dat
2009-09-20 02:05 . 2008-09-10 00:35 37 ----a-w- c:\documents and settings\Jared\jagex_runescape_preferences.dat
2009-09-19 11:57 . 2004-04-02 22:07 -------- d-----w- c:\windows\Fonts\Fonts
2009-09-15 02:25 . 2009-04-23 01:31 -------- d-----w- c:\documents and settings\Mason\Application Data\U3
2009-09-11 14:33 . 2008-09-04 16:28 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-04-02 18:41 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-26 08:16 . 2004-04-13 16:20 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-18 03:33 . 2009-08-18 03:33 1193832 ----a-w- c:\windows\system32\FM20.DLL
2008-03-04 02:10 . 2007-12-24 23:00 900 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

------- Sigcheck -------

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2qfe\explorer.exe
[-] 2007-06-13 10:23 . !HASH: COULD NOT OPEN FILE !!!!! . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe
[7] 2007-06-13 . 97BD6515465659FF8F3B7BE375B2EA87 . 1033216 . . [6.00.2900.3156] . . c:\windows\system32\dllcache\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 52736]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 644696]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 1603152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]
"USBToolTip"="c:\program files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PS2"="c:\windows\system32\ps2.exe" [2003-09-13 98304]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [2006-01-23 196608]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2004-06-29 88363]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-22 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\system32\narrator.exe [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\1940576\Program\BackWeb-1940576.exe [2004-4-2 16384]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Billminder.lnk
backup=c:\windows\pss\Billminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Planner Reminders Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Event Planner Reminders Tray Icon.lnk
backup=c:\windows\pss\Event Planner Reminders Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PKZIP Attachments Status.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PKZIP Attachments Status.lnk
backup=c:\windows\pss\PKZIP Attachments Status.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Startup.lnk
backup=c:\windows\pss\Quicken Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Documents and Settings\\Josiah\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Compaq Connections\\1940576\\Program\\BackWeb-1940576.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"42917:TCP"= 42917:TCP:BitTorrent
"42917:UDP"= 42917:UDP:BitTorrent

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [10/30/2009 9:53 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [10/30/2009 9:53 PM 20560]
S2 ASEService;Aluria Spyware Eliminator Service;c:\progra~1\ALURIA~1\ASE\ASEServ.exe --> c:\progra~1\ALURIA~1\ASE\ASEServ.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder

2009-10-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cme.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=desktop
uInternet Settings,ProxyOverride = localhost
IE: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
IE: Add To Compaq Organize... - c:\progra~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\
FF - prefs.js: browser.search.selectedEngine -
FF - prefs.js: browser.startup.homepage - hxxp://www.cme.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ff9jhvcr.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\plugins\npPxPlay.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 21:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A7481F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8a7481f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.swf]
@DACL=(02 0000)
@="ShockwaveFlash.ShockwaveFlash"
"Content Type"="application/x-shockwave-flash"

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp]
@DACL=(02 0000)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\software\Classes\FlashProp.FlashProp.1]
@DACL=(02 0000)
@="FlashProp Class"
.
Completion time: 2009-11-07 21:40
ComboFix-quarantined-files.txt 2009-11-07 02:39
ComboFix2.txt 2009-11-07 02:20
ComboFix3.txt 2009-11-06 22:02

Pre-Run: 41,185,218,560 bytes free
Post-Run: 41,169,473,536 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=5 Sets=,1,2,3,4,5
- - End Of File - - 339E2BB019CC9507D07731E4A61BEA86

do this instead

1. Please download The Avenger by Swandog46 to your Desktop.

• Right click on the Avenger.zip folder and select "Extract All..."
• Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

• Right click on the window under Input script here:, and select Paste.
• You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
• Click on Execute
• Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete", The Avenger will actually restart your system twice.)
• On reboot, it will briefly open a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply

Hello. The avenger program ran fine, and rebooted with no taskbar or desktop icons. A "Windows no disk message" came up with the following "Exception processing message c0000013 Parameters 75b6bf9c 75b6bf9c 75b6bf9c" with the buttons cancel, continue, and abort. I had to click cancel 5 times to get the box to close (gulp). Thanks for your help. Mike

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\explorer.exe" is whitelisted
File move operation "c:\windows\SoftwareDistribution\Download\44d74c37f0595a363bcec5e9229d8564\sp2gdr\explorer.exe|c:\windows\explorer.exe" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)


Completed script processing.

*******************

Finished! Terminate.

I just need to get another opinion, hold on tight

sorry are you still there ?

Yup, still home. Any nibbles on the locked explore.exe file? Mike

yeah I actually forgot you were waiting, sorry !

• Download OTC to your desktop and run it
• Click Yes to beginning the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.




Download OTL to your Desktop

• Double click on the icon to run it. Click the None button
• Under the Custom Scan box paste this in
  
  %SYSTEMDRIVE%\explorer.exe /s /md5
  
  
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time