Several Different Problems

Recently I was having trouble with my computer and whenever I ran a program I received the error message, "Application cannot be executed. The file is infected." After running SUPER AntiSpyware, McAfee, rkill, Malwarebytes, Hijack This, and ESET scanner things seemed to be running fine.

Now suddenly every couple of minutes the user accounts selection appears on my screen, which never used to show up. I'm the only person who uses my computer, but now it will show my account, plus "ASP.NET Machine A... Limited account password protected." It also shows "Guest. Guest account is off." I never had the user accounts screen come up and don't remember if both of those were there, but I certainly don't remember ASP.NET and have no idea what this is. The user account screen also shows up when I start my computer, but only lists my account. Normally my computer would start without me having to click on anything.

After this started happening, I went to open Adobe Photoshop 7.0 which I have been using for years and never had any problems with. I plugged my Wacom tablet in, but there was no pen pressure sensitivity. This has happened before, but has always fixed itself once I closed and then reopened Photoshop. But when I tried that this time, the tablet stopped working altogether and wouldn't even move the cursor on the screen. I tried closing Photoshop and opening it again, but then I got an error message while "measuring memory" that after a while says, "Could not initialize Photoshop because of a program error." Another error message appeared, which unfortunately I did not write down and has not reappeared, but said something along the lines of something was preventing an application from running.

I have another version of Photoshop, CS4, which I'm able to open, but then the tablet had no pressure sensitivity still. I tried closing and then reopening Photoshop, but then the tablet wouldn't move again. I tried reinstalling the tablet driver, but while the pen would move, again there was no pressure sensitivity. I restarted the computer, but then the tablet wouldn't move at all again. Whenever I tried reinstalling the tablet driver the tablet would allow the cursor to move, but wouldn't have any pressure sensitivity with the pen, and would just stop moving at all if I closed Photoshop or restarted the computer.

Also, after this all started Malwarebytes cannot complete a scan session and crashes. I've run several other programs and none find anything wrong.

I also went to open my Recycle Bin, but received an error that it is corrupted. I was able to open the Recycle Bin, but several of the files would not delete and I would get a message saying, "Cannot delete D10. It is being used by another person or program." Even though this was not the name of the file and no other programs were open.

I pretty much only use my computer to work in Photoshop for my job and check my e-mail. But not being able to even open Photoshop 7.0 which I prefer to use, plus my tablet not working makes it useless. I'm worried about logging into e-mail and typing any passwords out with all this going on. If anyone could help I would greatly appreciate it!

try to run the link below and post 3 logs an expert will see them

http://www.computerhope.com/forum/index.php/topic,46313.0.html

try to run the link below and post 3 logs an expert will see them

http://www.computerhope.com/forum/index.php/topic,46313.0.html

The link just took me back to the main page.

The link just took me back to the main page.

yes , scroll down and do all the tasks asked of you

It just took me back to the main section of the Computer Hope forums. There were no instructions.

it takes you to the virus and malware guidelines section with 4 posts by evilfantasy full of instructions to complete

http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Malware Removal Specialist]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

What type of OS (Operating System) are you using?

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.

What type of OS (Operating System) are you using?

Hi Dave, I am using Windows XP.

[Malware Removal Specialist]

Please download

ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Rename ComboFix.exe to commy.exe before you save it to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
Click Start>Run then copy paste the following command into the Run box & click OK "%userprofile%\desktop\commy.exe" /stepdel
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console[/list]

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you.  Please include the contents of C:\ComboFix.txt in your next reply.

If you have problems with ComboFix usage, see How to use ComboFix

Hi Dave,

Thank you. The first time I ran combo fix I thought McAffee was turned off, but it wasn't. I closed it and restarted and the screen was blue saying there was a problem with a lot of files and that it was deleting things. Sorry if that isn't very descriptive, many things were scrolling past on that page too quick for me to write down. But when my computer started up again I ran combo fix and this is the log it created:

ComboFix 10-12-16.01 - Jen 12/16/2010  14:48:46.1.2 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1919.1461 [GMT -7:00]
Running from: c:\documents and settings\Jen\desktop\commy.exe
Command switches used :: /stepdel
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan Enterprise *Disabled/Updated* {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arp.exe
c:\windows\system32\SCardSvr.exe

.
(((((((((((((((((((((((((   Files Created from 2010-11-16 to 2010-12-16  )))))))))))))))))))))))))))))))
.

2010-12-16 19:04 . 2010-09-07 14:47   17744   ----a-w-   c:\windows\system32\drivers\aswFsBlk.sys
2010-12-16 19:04 . 2010-09-07 14:52   165584   ----a-w-   c:\windows\system32\drivers\aswSP.sys
2010-12-16 19:04 . 2010-09-07 14:47   23376   ----a-w-   c:\windows\system32\drivers\aswRdr.sys
2010-12-16 19:04 . 2010-09-07 14:52   46672   ----a-w-   c:\windows\system32\drivers\aswTdi.sys
2010-12-16 19:04 . 2010-09-07 14:47   100176   ----a-w-   c:\windows\system32\drivers\aswmon2.sys
2010-12-16 19:04 . 2010-09-07 14:47   94544   ----a-w-   c:\windows\system32\drivers\aswmon.sys
2010-12-16 19:04 . 2010-09-07 14:46   28880   ----a-w-   c:\windows\system32\drivers\aavmker4.sys
2010-12-16 19:03 . 2010-09-07 15:12   38848   ----a-w-   c:\windows\avastSS.scr
2010-12-16 19:03 . 2010-09-07 15:11   167592   ----a-w-   c:\windows\system32\aswBoot.exe
2010-12-16 19:03 . 2010-12-16 19:03   --------   d-----w-   c:\program files\Alwil Software
2010-12-16 19:03 . 2010-12-16 19:03   --------   d-----w-   c:\documents and settings\All Users\Application Data\Alwil Software
2010-12-15 21:09 . 2010-11-02 15:17   40960   -c----w-   c:\windows\system32\dllcache\ndproxy.sys
2010-12-15 21:09 . 2010-10-11 14:59   45568   -c----w-   c:\windows\system32\dllcache\wab.exe
2010-12-14 14:28 . 2010-12-14 14:28   --------   d-----w-   c:\program files\CCleaner
2010-12-05 08:09 . 2010-12-05 08:09   --------   d-----w-   c:\program files\AIM Toolbar
2010-12-05 08:09 . 2010-12-05 08:09   --------   d-----w-   c:\program files\Common Files\Software Update Utility
2010-12-05 01:54 . 2010-12-05 01:54   --------   d-----w-   c:\program files\TabletPlugins
2010-11-18 18:12 . 2010-11-18 18:12   81920   -c----w-   c:\windows\system32\dllcache\isign32.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-16 21:58 . 2009-07-10 05:39   6520   ----a-w-   c:\windows\system32\drivers\ghstwall.sys
2010-11-30 00:42 . 2010-11-04 02:15   38224   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-30 00:42 . 2010-11-04 02:14   20952   ----a-w-   c:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2009-07-08 07:41   81920   ----a-w-   c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2001-08-23 12:00   916480   ----a-w-   c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2001-08-23 12:00   43520   ----a-w-   c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2001-08-23 12:00   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 05:59   385024   ----a-w-   c:\windows\system32\html.iec
2010-11-02 15:17 . 2001-08-23 12:00   40960   ----a-w-   c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2001-08-23 12:00   290048   ----a-w-   c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2001-08-23 12:00   1853312   ----a-w-   c:\windows\system32\win32k.sys
2010-09-18 19:23 . 2001-08-23 12:00   974848   ----a-w-   c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2001-08-23 12:00   974848   ----a-w-   c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2001-08-23 12:00   954368   ----a-w-   c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2001-08-23 12:00   953856   ----a-w-   c:\windows\system32\mfc40u.dll
2008-02-08 04:46 . 2008-02-08 04:46   13624   ----a-w-   c:\program files\mozilla firefox\plugins\cgpcfg.dll
2008-02-08 04:46 . 2008-02-08 04:46   87360   ----a-w-   c:\program files\mozilla firefox\plugins\CgpCore.dll
2008-02-08 04:46 . 2008-02-08 04:46   91448   ----a-w-   c:\program files\mozilla firefox\plugins\confmgr.dll
2008-02-08 04:46 . 2008-02-08 04:46   21824   ----a-w-   c:\program files\mozilla firefox\plugins\ctxlogging.dll
2008-02-08 04:46 . 2008-02-08 04:46   206136   ----a-w-   c:\program files\mozilla firefox\plugins\ctxmui.dll
2008-02-08 04:46 . 2008-02-08 04:46   31544   ----a-w-   c:\program files\mozilla firefox\plugins\icafile.dll
2008-02-08 04:46 . 2008-02-08 04:46   40248   ----a-w-   c:\program files\mozilla firefox\plugins\icalogon.dll
2007-03-17 00:27 . 2007-03-17 00:27   479232   ----a-w-   c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-03-17 00:27 . 2007-03-17 00:27   548864   ----a-w-   c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-03-17 00:27 . 2007-03-17 00:27   626688   ----a-w-   c:\program files\mozilla firefox\plugins\msvcr80.dll
2007-07-20 19:47 . 2007-07-20 19:47   981170   ----a-w-   c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2008-02-08 04:46 . 2008-02-08 04:46   24384   ----a-w-   c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-22 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"GhostWall"="c:\program files\GhostWall\ghostwall.exe" [2005-09-29 217088]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-02 16049664]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-10-07 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-11-21 12669544]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-11-21 110184]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

c:\documents and settings\Jen\Start Menu\Programs\Startup\
ViiKiiDesktopPlugin.lnk - c:\program files\ViiKiiDesktopPlugin\ViiKiiDesktopPlugin.exe [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/16/2010 12:04 PM 165584]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [1/5/2010 7:56 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 7:56 AM 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/16/2010 12:04 PM 17744]
R2 ghstwall;ghstwall;c:\windows\system32\drivers\ghstwall.sys [7/9/2009 10:39 PM 6520]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 5:49 AM 227232]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 7:56 AM 12872]
S4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [7/10/2009 6:31 PM 5010288]
.
Contents of the 'Scheduled Tasks' folder

2010-12-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-448539723-839522115-1004Core.job
- c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:54]

2010-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1645522239-448539723-839522115-1004UA.job
- c:\documents and settings\Jen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-22 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.com
uInternet Settings,ProxyServer = http=127.0.0.1:10293
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jen\Application Data\Mozilla\Firefox\Profiles\89sau4uu.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/aol/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.search.selectedEngine - Ask.com
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 50370
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\Jen\Application Data\Move Networks
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-nwiz - nwiz.exe
SafeBoot-mcmscsvc
SafeBoot-MCODS
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe
AddRemove-M2416447 - c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
AddRemove-NVIDIA Display Control Panel - c:\program files\NVIDIA Corporation\Uninstall\nvuninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-16 14:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]
@DACL=(02 0000)
@="Microsoft Disk Quota"
"NoMachinePolicy"=dword:00000000
"NoUserPolicy"=dword:00000001
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"RequiresSuccessfulRegistry"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000000
"DllName"=expand:"dskquota.dll"
"ProcessGroupPolicy"="ProcessGroupPolicy"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]
@DACL=(02 0000)
@="Internet Explorer Zonemapping"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"
"NoGPOListChanges"=dword:00000001
"RequiresSucessfulRegistry"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]
@DACL=(02 0000)
@="Internet Explorer User Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"
"GenerateGroupPolicy"="SceGenerateGroupPolicy"
"ExtensionRsopPlanningDebugLevel"=dword:00000001
"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"
"ExtensionDebugLevel"=dword:00000001
"DllName"=expand:"scecli.dll"
@="Security"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"EnableAsynchronousProcessing"=dword:00000001
"MaxNoGPOListChangesInterval"=dword:000003c0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]
@DACL=(02 0000)
"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"ProcessGroupPolicy"="ProcessGroupPolicy"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
@="Internet Explorer Branding"
"NoSlowLink"=dword:00000001
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000001
"NoMachinePolicy"=dword:00000001
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]
@DACL=(02 0000)
"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"
"DllName"=expand:"scecli.dll"
@="EFS recovery"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]
@DACL=(02 0000)
@="802.3 Group Policy"
"DisplayName"=expand:"@dot3gpclnt.dll,-100"
"ProcessGroupPolicyEx"="ProcessLANPolicyEx"
"GenerateGroupPolicy"="GenerateLANPolicy"
"DllName"=expand:"dot3gpclnt.dll"
"NoUserPolicy"=dword:00000001
"NoGPOListChanges"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]
@DACL=(02 0000)
@="Microsoft Offline Files"
"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"
"EnableAsynchronousProcessing"=dword:00000000
"NoBackgroundPolicy"=dword:00000000
"NoGPOListChanges"=dword:00000000
"NoMachinePolicy"=dword:00000000
"NoSlowLink"=dword:00000000
"NoUserPolicy"=dword:00000001
"PerUserLocalSettings"=dword:00000000
"ProcessGroupPolicy"="ProcessGroupPolicy"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]
@DACL=(02 0000)
@="Software Installation"
"DllName"=expand:"appmgmts.dll"
"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"
"GenerateGroupPolicy"="GenerateGroupPolicy"
"NoBackgroundPolicy"=dword:00000000
"RequiresSucessfulRegistry"=dword:00000000
"NoSlowLink"=dword:00000001
"PerUserLocalSettings"=dword:00000001
"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]
@DACL=(02 0000)
@="Internet Explorer Machine Accelerators"
"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"
"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"
"NoGPOListChanges"=dword:00000001
"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"
"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"
"RequiresSuccessfulRegistry"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
@DACL=(02 0000)
"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.dll"
"Logon"="SABWINLOLogon"
"Logoff"="SABWINLOLogoff"
"Startup"="SABWINLOStartup"
"Shutdown"="SABWINLOShutdown"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Antiwpa]
@DACL=(02 0000)
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
"DllName"="antiwpa.dll"
"Startup"="onStartup"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"crypt32.dll"
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=expand:"cryptnet.dll"
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
@DACL=(02 0000)
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
@DACL=(02 0000)
"Asynchronous"=dword:00000001
"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"
"Startup"="WlDimsStartup"
"Shutdown"="WlDimsShutdown"
"Logon"="WlDimsLogon"
"Logoff"="WlDimsLogoff"
"StartShell"="WlDimsStartShell"
"Lock"="WlDimsLock"
"Unlock"="WlDimsUnlock"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
@DACL=(02 0000)
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=expand:"sclgntfy.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
@DACL=(02 0000)
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
@DACL=(02 0000)
"Asynchronous"=dword:00000000
"DllName"=expand:"wlnotify.dll"
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
@DACL=(02 0000)
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEven t"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]
@DACL=(02 0000)
"HelpAssistant"=dword:00000000
"TsInternetUser"=dword:00000000
"SQLAgentCmdExec"=dword:00000000
"NetShowServices"=dword:00000000
"IWAM_"=dword:00010000
"IUSR_"=dword:00010000
"VUSR_"=dword:00010000
"ASPNET"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3856)
c:\windows\system32\WININET.dll
c:\program files\SmartFTP Client\en-US\sfShellTools.dll.mui
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
c:\program files\McAfee\VirusScan Enterprise\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-12-16  15:06:11 - machine was rebooted
ComboFix-quarantined-files.txt  2010-12-16 22:06

Pre-Run: 15,102,398,464 bytes free
Post-Run: 14,880,346,112 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - 49816B3BF7C2518CA93F4E1F1FBA2F2F

[Malware Removal Specialist]

The log show that you're running two Anti-Virus programs on your computer: avast! Antivirus and McAfee VirusScan Enterprise.You should on run one AV program and one Firewall on your computer because they conflict. One will have to be permanently disabled.

P2P - I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program (BitTorrent), it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
*******************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  DDS::
  uInternet Settings,ProxyServer = http=127.0.0.1:10293
  FF - prefs.js: browser.search.selectedEngine - Ask.com
  
  Rootkit::
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• I don't need to see this log.
  

***************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Unzip SecurityCheck.zip and a folder named Security Check should appear.
* Open the Security Check folder and double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
***************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The

log will be saved automatically in the same folder Sysprot.exe was
extracted to. Open the text file and copy/paste the log here.
[/list].

Hi Dave,

Earlier I had renamed ComboFix to commy.exe, do I need to change the file name or download it again before doing these steps? Thank you!

[Malware Removal Specialist]

No. Even though you renamed it, it's still ComboFix.exe

After I dragged CFScript.txt into ComboFix, ComboFix started, but then my screen went blue, restarted, and gave me a message that the computer had a serious error. I went to check if there was a log at C:\ComboFix.txt, but there's nothing in the ComboFix folder. Should I proceed with downloading Security Check by screen317 still?

[Malware Removal Specialist]

Forget about the ComboFix script for now. We'll deal with it later. Please continue with the other scans.