after using kaspersky computer won't boot

[JAJsangel]

It says "welcome to grub
entering rescue mode
error: unknown filesystem"
tried going into bios and start cdrom drive with kaspersky disk in..still says that.

googled and got a lot about Linux or Ubuntu (dunno what that is) or just plain didn't make sense.

[Allan]

You need to provide a LOT more information about what happened, what you did, why you did it, what type of system and OS you have, etc. Everything you can think of.

[JAJsangel]

I had Live Security Platinum somehow which prevented me from even starting task manager so first I scanned in safe mode with malwarebytes then I installed kaspersky in safe mode with networking (in case it needed updates or something..this is my first time using kaspersky). it told me that system was infected preventing it from running so I installed kaspersky's virus removal tool. after it finished it rebooted and now it won't even go to windows AT ALL..just displays that grub thing. apparently you can type in some type of command but I don't know what it would be because I tried exit and quit. that didn't do anything.

OS: Windows XP home edition
Desktop

[Allan]

Please wait for a malware specialist to respond further.

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

[JAJsangel]

I'm so dumb. I found out later that all I had to do to boot to Windows was take the disk out. It was too late to edit my post and I didn't know if I should post another one or not because of the rules (I guess I should have)
The internet works too but we need to check if there's still an infection right? I did the Superantispyware and Malwarebytes scan. do you want me to post the logs now?

[SuperDave]

Yes, please post the logs and we'll take a look at them.

[JAJsangel]

ok here ya go

[year+ old attachment deleted by admin]

[SuperDave]

Please do not attach your logs unless absolutely necessary. Copy and paste them in your reply(ies).
Please run MBAM again and, this time, clean the infections and post the log.

Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.
*****************************************************************
Download Combofix from any of the links below, and save it to your DESKTOP. 

Link 1
Link 2
Link 3

To prevent your anti-virus application interfering with  ComboFix we need to disable it. See here for a tutorial regarding how to do so if you are unsure.

• Close any open windows and double click ComboFix.exe to run it.
  
  You will see the following image:
  

Click I Agree to start the program.

ComboFix will then extract the necessary files and you will see this:



As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to  have this pre-installed on your machine before doing any malware  removal. This will not occur in Windows Vista and 7

It will allow you to boot up into a special recovery/repair  mode that will allow us to more easily help you should your computer  have a problem after an attempted removal of malware.

If you did not have it installed, you will see the prompt below. Choose YES.



Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

[JAJsangel]

Database version: v2012.07.28.06

Windows XP Service Pack 3 x86 NTFS (Safe Mode)
Internet Explorer 8.0.6001.18702
Owner :: YOUR-904C03B1D8 [administrator]

8/1/2012 7:19:35 PM
mbam-log-2012-08-01 (19-19-35).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 381267
Time elapsed: 2 hour(s), 16 minute(s), 1 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 5
HKCU\SOFTWARE\CLASSES\CLSID\{42AEDC87-2188-41FD-B9A3-0C966FEABEC1}\INPROCSERVER32 (Trojan.Zaccess) -> Quarantined and deleted successfully.
HKCU\Software\appkikxSA (Adware.HotBar.AK) -> Quarantined and deleted successfully.
HKCU\Software\blueturtlegamesSA (Adware.HotBar.BTG) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\blueturtlegamesSA (Adware.HotBar.BTG) -> Quarantined and deleted successfully.
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Registry Values Detected: 3
HKCU\SOFTWARE\CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32| (Trojan.Zaccess) -> Data: C:\Documents and Settings\Owner\Local Settings\Application Data\{c32af68d-7439-1b5b-23fa-772104eb662e}\n. -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ares (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Ares\zlvhy.dll",CreateInstance -> Quarantined and deleted successfully.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Ares (Trojan.RedirRdll3.Gen) -> Data: rundll32.exe "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Ares\zlvhy.dll",CreateInstance -> Quarantined and deleted successfully.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 7
C:\Documents and Settings\Owner\Local Settings\Application Data\{c32af68d-7439-1b5b-23fa-772104eb662e}\U\00000004.@ (Rootkit.Zaccess) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\{c32af68d-7439-1b5b-23fa-772104eb662e}\U\00000008.@ (Trojan.Dropper.BCMiner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temp\0.7199932044193886 (Trojan.BHO) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\My Documents\Downloads\finalmediaplayer_2.exe (PUP.BundleOffers.IIQ) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0048284.exe (Trojan.LameShield) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP270\A0048366.ini (Trojan.0access) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Ares\zlvhy.dll (Trojan.RedirRdll3.Gen) -> Quarantined and deleted successfully.



Results of screen317's Security Check version 0.99.43 
 Windows XP Service Pack 3 x86   
 Internet Explorer 8 
``````````````Antivirus/Firewall Check:``````````````[/u]
 Windows Security Center service is not running! This report may not be accurate!
`````````Anti-malware/Other Utilities Check:`````````[/u]
 SUPERAntiSpyware     
 Malwarebytes Anti-Malware version 1.62.0.1300 
 Panda ActiveScan Cleaner   
 Java(TM) 6 Update 22 
 Java(TM) 6 Update 31 
 Java version out of Date!
 Adobe Flash Player    11.3.300.268 
 Adobe Reader X (10.1.3)
 Mozilla Firefox (14.0.1)
````````Process Check: objlist.exe by Laurent````````[/u] 
`````````````````System Health check`````````````````[/u]
 Total Fragmentation on Drive C:: 18% Defragment your hard drive soon!
````````````````````End of Log``````````````````````[/u]



ComboFix 12-07-31.03 - Owner 08/01/2012  22:40:50.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1502.1213 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\hr
c:\documents and settings\All Users\Application Data\AMMYY\hr3
c:\documents and settings\All Users\Application Data\AMMYY\settings3.bin
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\YamYamIn.exe
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Owner\Application Data\PriceGong
c:\documents and settings\Owner\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Owner\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Owner\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Owner\Application Data\vso_ts_preview.xml
c:\documents and settings\Owner\WINDOWS
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{c32af68d-7439-1b5b-23fa-772104eb662e}\@
c:\windows\Installer\{c32af68d-7439-1b5b-23fa-772104eb662e}\L\00000004.@
c:\windows\Installer\{c32af68d-7439-1b5b-23fa-772104eb662e}\U\000000cb.@
c:\windows\Installer\{c32af68d-7439-1b5b-23fa-772104eb662e}\U\80000000.@
c:\windows\Installer\{c32af68d-7439-1b5b-23fa-772104eb662e}\U\80000032.@
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\Update.bat
.
.
(((((((((((((((((((((((((   Files Created from 2012-07-02 to 2012-08-02  )))))))))))))))))))))))))))))))
.
.
2012-07-31 05:24 . 2012-07-31 05:31   --------   d-----w-   c:\program files\FinalMediaPlayer
2012-07-30 19:50 . 2012-07-30 19:50   --------   d-----w-   c:\program files\iPod
2012-07-30 19:50 . 2012-07-30 19:51   --------   d-----w-   c:\program files\iTunes
2012-07-28 19:52 . 2012-07-28 19:53   --------   d-----w-   c:\program files\SUPERAntiSpyware
2012-07-28 02:24 . 2012-07-28 02:24   --------   d-sh--w-   c:\documents and settings\NetworkService\IETldCache
2012-07-28 02:17 . 2012-07-28 02:17   --------   d-----w-   c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2012-07-28 02:11 . 2012-07-28 02:11   --------   d-sh--w-   c:\documents and settings\Administrator\PrivacIE
2012-07-28 02:07 . 2012-07-28 02:07   --------   d-----w-   c:\windows\system32\LogFiles
2012-07-27 23:50 . 2012-07-27 23:50   --------   d-sh--w-   c:\documents and settings\LocalService\IETldCache
2012-07-27 23:45 . 2012-07-27 23:47   --------   d-----w-   c:\documents and settings\All Users\Application Data\6F63A58800547533266CA70E7B07D329
2012-07-27 19:01 . 2012-07-27 19:01   9821896   ----a-w-   c:\windows\system32\FlashPlayerInstaller.exe
2012-07-27 15:17 . 2001-08-17 17:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-07-27 15:17 . 2001-08-17 17:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-07-24 17:44 . 2012-07-24 17:44   --------   d-----w-   C:\users
2012-07-24 17:33 . 2012-07-24 17:37   --------   d-----w-   c:\windows\system32\Adobe
2012-07-23 19:36 . 2012-07-23 19:36   --------   d-----w-   c:\documents and settings\NetworkService\Application Data\Yahoo!
2012-07-23 01:16 . 2012-07-28 02:31   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\ArcadeWeb
2012-07-22 14:43 . 2012-07-22 14:43   --------   d-----w-   c:\documents and settings\Owner\Local Settings\Application Data\visi_coupon
2012-07-10 23:58 . 2012-07-22 14:54   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo! Companion
2012-07-10 23:58 . 2012-07-10 23:59   --------   d-----w-   c:\documents and settings\Owner\Application Data\Yahoo!
2012-07-10 23:58 . 2012-07-10 23:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\Yahoo!
2012-07-10 23:57 . 2012-07-10 23:58   --------   d-----w-   c:\program files\Yahoo!
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-29 01:54 . 2012-04-02 20:12   426184   ----a-w-   c:\windows\system32\FlashPlayerApp.exe
2012-07-29 01:54 . 2012-02-05 05:36   70344   ----a-w-   c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-03 17:46 . 2012-03-09 00:31   22344   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-06-27 06:54 . 2012-06-27 06:54   21840   ----a-w-   c:\windows\system32\SIntfNT.dll
2012-06-27 06:54 . 2012-06-27 06:54   17212   ----a-w-   c:\windows\system32\SIntf32.dll
2012-06-27 06:54 . 2012-06-27 06:54   12067   ----a-w-   c:\windows\system32\SIntf16.dll
2012-06-13 13:19 . 2007-11-20 06:04   1866112   ----a-w-   c:\windows\system32\win32k.sys
2012-06-06 18:55 . 2003-08-13 01:17   499712   ----a-w-   c:\windows\system32\msvcp71.dll
2012-06-06 18:55 . 2003-08-13 01:17   348160   ----a-w-   c:\windows\system32\msvcr71.dll
2012-06-05 15:50 . 2009-08-19 22:07   1372672   ----a-w-   c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2007-11-20 05:58   1172480   ----a-w-   c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2007-11-20 05:59   152576   ----a-w-   c:\windows\system32\schannel.dll
2012-06-02 19:19 . 2009-08-07 03:24   22040   ----a-w-   c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-08-07 03:24   15384   ----a-w-   c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2007-11-20 06:05   329240   ----a-w-   c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2007-11-20 06:05   210968   ----a-w-   c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2007-11-20 06:05   219160   ----a-w-   c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2009-08-07 03:24   45080   ----a-w-   c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-08-07 03:24   15384   ----a-w-   c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2007-11-20 06:05   35864   ----a-w-   c:\windows\system32\wups.dll
2012-06-02 19:19 . 2007-11-20 06:05   53784   ----a-w-   c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2007-11-20 05:31   97304   ----a-w-   c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-08-07 03:24   17944   ----a-w-   c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2007-11-20 06:05   577048   ----a-w-   c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2007-11-20 06:05   1933848   ----a-w-   c:\windows\system32\wuaueng.dll
2012-06-02 19:18 . 2012-02-12 05:58   275696   ----a-w-   c:\windows\system32\mucltui.dll
2012-06-02 19:18 . 2012-02-12 05:58   214256   ----a-w-   c:\windows\system32\muweb.dll
2012-06-02 19:18 . 2012-02-12 05:58   17136   ----a-w-   c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22 . 2007-11-20 05:31   599040   ----a-w-   c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2007-11-20 06:05   916992   ----a-w-   c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2007-11-20 05:57   43520   ------w-   c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2007-11-20 05:40   1469440   ------w-   c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2007-11-20 05:40   385024   ------w-   c:\windows\system32\html.iec
2012-05-04 13:12 . 2007-11-20 05:59   2192640   ----a-w-   c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2012-02-05 04:25   2069120   ----a-w-   c:\windows\system32\ntkrnlpa.exe
2012-07-19 03:23 . 2012-02-05 05:35   136672   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{81017EA9-9AA8-4A6A-9734-7AF40E7D593F}"= "c:\program files\Yahoo!\Companion\Installs\cpn1\yt.dll" [2012-06-11 1524056]
.
[HKEY_CLASSES_ROOT\clsid\{81017ea9-9aa8-4a6a-9734-7af40e7d593f}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YTNavAssistPlugin]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2012-05-25 6595928]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2011-09-02 4862384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UnlockerAssistant"="c:\my backup -- 10-02-28 0905pm\Program Files\Unlocker\UnlockerAssistant .exe" [2009-10-26 15872]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2012-06-06 296056]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-04-19 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-05-31 59280]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-06-07 421776]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2011-09-02 4862384]
.
c:\documents and settings\Owner\Start Menu\Programs\Startup\
IMVU.lnk - c:\documents and settings\Owner\Application Data\IMVUClient\IMVUQualityAgent.exe [2012-7-19 23408]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
_uninst_.lnk - c:\documents and settings\Administrator\Local Settings\Temp\_uninst_.bat [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54   551296   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMVU.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMVU.lnk
backup=c:\windows\pss\IMVU.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 13:10   843712   ----a-w-   c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2012-02-23 15:38   59240   ----a-w-   c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-05-31 00:06   59280   ----a-w-   c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CLMLServer]
2009-12-15 18:47   103720   ------w-   c:\program files\CyberLink\Power2Go\CLMLSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Exetender]
2011-09-02 00:18   4862384   ----a-w-   c:\program files\Free Ride Games\GPlayer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 07:41   49208   ----a-w-   c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-06-07 23:33   421776   ----a-w-   c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LGODDFU]
2012-02-12 03:51   557056   ----a-w-   c:\program files\lg_fwupdate\fwupdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-07-03 17:46   462920   ----a-w-   c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42   1695232   ------w-   c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2005-09-18 16:32   7204864   ----a-w-   c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2005-09-18 16:32   86016   ----a-w-   c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2005-09-18 16:32   1519616   ----a-w-   c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-04-19 00:56   421888   ----a-w-   c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\readericon]
2005-08-27 13:09   139264   ----a-w-   c:\program files\Digital Media Reader\readericon45G.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-09-14 06:42   212992   ----a-w-   c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
2005-02-26 01:24   966656   ----a-w-   c:\windows\creator\Remind_XP.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2005-01-12 11:01   32768   ----a-w-   c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2005-09-26 23:07   90112   ----a-w-   c:\windows\soundman.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-01-18 18:02   254696   ----a-w-   c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2012-07-09 23:38   4777856   ----a-w-   c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-06-06 18:55   296056   ----a-w-   c:\program files\real\realplayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UCam_Menu]
2009-02-18 02:21   218408   ------w-   c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateLBPShortCut]
2009-05-20 03:16   222504   ----a-w-   c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2009-05-20 03:16   222504   ------w-   c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePSTShortCut]
2010-04-20 15:18   222504   ------w-   c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe
.
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 7:38 PM 116608]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\rsdrv.sys [2/25/2012 5:12 PM 22312]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 12:27 PM 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 5:55 PM 67664]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/8/2012 8:31 PM 655944]
S2 X4HSEx;X4HSEx;c:\program files\Free Ride Games\X4HSEx.sys [3/9/2012 10:40 PM 56424]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/2/2012 4:12 PM 250056]
S3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\system32\drivers\aticxcap.sys [3/30/2005 11:22 AM 173824]
S3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\system32\drivers\aticxtun.sys [3/30/2005 11:22 AM 29184]
S3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\system32\drivers\aticxxbr.sys [3/30/2005 11:22 AM 9088]
S3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [10/12/2010 1:59 PM 206072]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/8/2012 8:31 PM 22344]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 5:46 PM 113120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12   REG_MULTI_SZ      Pml Driver HPZ12 Net Driver HPZ12
HPService   REG_MULTI_SZ      HPSLPSVC
hpdevmgmt   REG_MULTI_SZ      hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 01:54]
.
2012-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-08-01 c:\windows\Tasks\ArcadeWeb Update.job
- c:\documents and settings\Owner\Local Settings\Application Data\ArcadeWeb\awuper.exe [2012-07-23 01:16]
.
2012-08-01 c:\windows\Tasks\Final Media Player Update Checker.job
- c:\program files\FinalMediaPlayer\FMPCheckForUpdates.exe [2012-07-31 18:24]
.
2012-07-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-336148078-1946281778-3440682271-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 22:21]
.
2012-07-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-336148078-1946281778-3440682271-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2012-04-30 22:21]
.
2012-07-31 c:\windows\Tasks\User_Feed_Synchronization-{44B84EA4-CDCB-40A0-A3DF-F2C90598BDEF}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\7edmm5iv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://myfun-home-page.com/Heidi-sunset
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108471
FF - user.js: extensions.BabylonToolbar_i.babExt -
FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
FF - user.js: extensions.BabylonToolbar_i.id - c01e3e870000000000000040ca936ff1
FF - user.js: extensions.BabylonToolbar_i.hardId - c01e3e870000000000000040ca936ff1
FF - user.js: extensions.BabylonToolbar_i.instlDay - 15409
FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1719:09
FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-10 - (no file)
Toolbar-Locked - (no file)
WebBrowser-{EEE6C35B-6118-11DC-9C72-001320C79847} - (no file)
MSConfigStartUp-appkikxSA - c:\documents and settings\Owner\Local Settings\Application Data\appkikxSA\bin\1.0.5.0\appkikxSA.exe
MSConfigStartUp-ares - c:\program files\Ares\Ares.exe
MSConfigStartUp-blueturtlegamesSA - c:\documents and settings\Owner\Local Settings\Application Data\blueturtlegamesSA\bin\1.0.3.0\blueturtlegamesSA.exe
MSConfigStartUp-Kujytuo - c:\documents and settings\Owner\Application Data\kujytuo\kujytuo.exe
MSConfigStartUp-TrayIcRun - c:\program files\ArcadeWeb\tray.exe
AddRemove-AWSoftware - c:\documents and settings\Owner\Local Settings\Application Data\ArcadeWeb\awun.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-01 22:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5 977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bb,fc,fe,36,28,94,b3,45,bf,58,d7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839 E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bb,fc,fe,36,28,94,b3,45,bf,58,d7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
Completion time: 2012-08-01  22:48:52
ComboFix-quarantined-files.txt  2012-08-02 02:48
.
Pre-Run: 73,657,634,816 bytes free
Post-Run: 75,139,383,296 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 67D3953A185063D17472DB2E4B0E6D6E

[SuperDave]

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.
************************************************

Total Fragmentation on Drive C:: 18% Defragment your hard drive soon!

Please defrag your harddrive soon.

Looking over your log it seems you don't have any antivirus software.

Before we continue download and install a free antivirus.
I recommend MicroSoft Security Essentials.

Remember to only install one antivirus!
 
1) Avast! Home Edition
2) AVG Free Edition
3) Avira AntiVir Personal
4) Microsoft Security Essentials for Windows Vista\Windows 7 - 64 bit Download
4-a) Microsoft Security Essentials for Windows XP
5) Comodo Antivirus (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
6) PC Tools AntiVirus Free Edition
7) ThreatFire

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
******************************************************
Re-running ComboFix to remove infections:

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Open notepad and copy/paste the text in the quotebox below into it:
  

  KillAll::
  
  Firefox::
  FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
  FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
  FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108471
  FF - user.js: extensions.BabylonToolbar_i.babExt -
  FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
  FF - user.js: extensions.BabylonToolbar_i.id - c01e3e870000000000000040ca936ff1
  FF - user.js: extensions.BabylonToolbar_i.hardId - c01e3e870000000000000040ca936ff1
  FF - user.js: extensions.BabylonToolbar_i.instlDay - 15409
  FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
  FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
  FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1719:09
  FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
  FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
  FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
  FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
  FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
  FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
  
  DDS::
  FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=3&q={searchTerms}
  FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2260173&SearchSource=2&q=
  FF - user.js: extensions.BabylonToolbar_i.babTrack - affID=108471
  FF - user.js: extensions.BabylonToolbar_i.babExt -
  FF - user.js: extensions.BabylonToolbar_i.srcExt - ss
  FF - user.js: extensions.BabylonToolbar_i.id - c01e3e870000000000000040ca936ff1
  FF - user.js: extensions.BabylonToolbar_i.hardId - c01e3e870000000000000040ca936ff1
  FF - user.js: extensions.BabylonToolbar_i.instlDay - 15409
  FF - user.js: extensions.BabylonToolbar_i.vrsn - 1.5.3.17
  FF - user.js: extensions.BabylonToolbar_i.vrsni - 1.5.3.17
  FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.5.3.1719:09
  FF - user.js: extensions.BabylonToolbar_i.prtnrId - babylon
  FF - user.js: extensions.BabylonToolbar_i.prdct - BabylonToolbar
  FF - user.js: extensions.BabylonToolbar_i.aflt - babsst
  FF - user.js: extensions.BabylonToolbar_i.smplGrp - none
  FF - user.js: extensions.BabylonToolbar_i.tlbrId - base
  FF - user.js: extensions.BabylonToolbar_i.instlRef - sst
  
  
• Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
• Referring to the picture above, drag CFScript into ComboFix.exe
• When finished, it shall produce a log for you at C:\ComboFix.txt
  
• Please post the contents of the log in your next reply.

******************************************************
SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[JAJsangel]

I tried copying the script but ComboFix seemed stuck on scanning when I did.


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B2186000
Module End: B219E000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B862C000
Module End: B862E000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Recovery\I386
Status: Access denied

Object: C:\System Recovery\SYSRST
Status: Access denied

[SuperDave]

Please give me an update on your computer. What's happening now?

SysProt Antirootkit

Download
SysProt Antirootkit from the link below (you will find it at the bottom
of the page under attachments, or you can get it from one of the
mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

• Double click Sysprot.exe to start the program.
• Click on the Log tab.
• In the Write to log box select the following items.
• Process << Selected
  
• Kernel Modules << Selected
  
• SSDT << Selected
  
• Kernel Hooks << Selected
  
• IRP Hooks << NOT Selected
  
• Ports << NOT Selected
  
• Hidden Files << Selected
  
• At the bottom of the page
• Hidden Objects Only << Selected
  
• Click on the Create Log button on the bottom right.
• After a few seconds a new window should appear.
• Select Scan Root Drive. Click on the Start button.
• When it is complete a new window will appear to indicate that the scan is finished.
• The log will be saved automatically in the same folder Sysprot.exe was extracted to. Open the text file and copy/paste the log here.

[JAJsangel]

Sometimes google redirects. This search ask123 comes up with random websites (can't really pinpoint which ones..I think it happens with websites that don't work sometimes)
Also I can't fool around with the task manager too much. I can stop some startup processes but not others.


SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B2633000
Module End: B264B000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: B85FE000
Module End: B8600000
Hidden: Yes

******************************************************************************************
******************************************************************************************
No SSDT Hooks found

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\System Recovery\I386
Status: Access denied

Object: C:\System Recovery\SYSRST
Status: Access denied

Also I was having trouble with this. It seemed to freeze before the scan was done.

[SuperDave]

Sometimes google redirects. This search ask123 comes up with random websites (can't really pinpoint which ones..I think it happens with websites that don't work sometimes)

What browser are you using?

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan
•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.
•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt