No icons, no taskbar, only desktop image in normal mode, part2

[flobberangel]

sorry bout my earlier post

the problem is that when i enter the normal mode, i dont see any icons, taskbar, or start menu. there's only the desktop image. The mouse pointer is there, and it's movable still. I can still access the ctrl+alt+del, but that's about it


If i enter through safe mode, and safe mode with networking, the icons,taskbar, and start menu are there

yesterday, i deleted my AV (avg) due to my frustration, and then suddenly, when i entered normal mode, the icons,taskbar,start menu were back. When i tried to install bit defender AV, and then restarted my comp and enter through the normal mode again, the icons,taskbar,start menu weren't there again. So i restored my comp just before i installed the bit defender to get a working system.

even if my system is working now, even without AV, i still think the problem is still there.

please help me
the attachmetn was in .rar, coz i cant find the winzip
here's the DSS log...

********************************

DDS (Ver_09-03-16.01) - NTFSx86
Run by Administrator at 10:18:24.86 on Sat 03/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.820 [GMT -8:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\SupportAppXL\cdrom_mon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\pchealth\helpctr\binaries\HelpCtr.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe
C:\Documents and Settings\Administrator\Desktop\dds.pif

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
BHO: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - No File
TB: {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - No File
uRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SigmaTel StacMon] c:\program files\sigmatel\sigmatel ac97 audio drivers\stacmon.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [VMSnap3] c:\windows\VMSnap3.EXE
mRun: [Domino] c:\windows\Domino.EXE
dRun: [TaskSwitchXP] c:\program files\taskswitchxp\TaskSwitchXP.exe
dRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
dRunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll"
dRunOnce: [nlhr] RunDll32.exe %SystemRoot%\System32\AdvPack.Dll,LaunchINFSection %SystemRoot%\inf\nlite.inf,C
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoSMHelp = 1 (0x1)
mPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
dPolicies-explorer: NoInstrumentation = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_05\bin\npjpi150_05.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~1\office12\GR99D3~1.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\6b4gidpm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAskSBr.dll

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-3-26 28544]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\supportappxl\cdrom_mon.exe [2008-12-26 81920]
S2 avbvitqm;Center Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 axzlhzm;Time Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S2 vvpqtgpal;System Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2009-2-9 428160]

============== File Associations ===============

inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1

=============== Created Last 30 ================

2009-03-28 10:05 <DIR> --d-h--- c:\windows\PIF
2009-03-28 09:37 81,984 a------- c:\windows\system32\bdod.bin
2009-03-28 01:05 <DIR> --d----- c:\docume~1\admini~1\applic~1\BitDefender
2009-03-28 01:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-03-27 10:13 <DIR> --d----- c:\program files\Trend Micro
2009-03-27 08:37 102,664 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-27 08:36 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-03-26 21:48 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-03-26 21:46 <DIR> --d----- c:\program files\Panda Security
2009-03-26 17:49 <DIR> --d----- c:\program files\CleanUp!
2009-03-26 17:48 <DIR> -cd----- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-24 21:57 <DIR> --d----- c:\windows\pss

==================== Find3M ====================

2009-03-28 10:10 170,786 a------- c:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-02-12 20:59 25,992 a------- c:\windows\system32\pgdfgsvc.exe

============= FINISH: 10:19:17.37 ===============

[Ried]

Hi flobberangel,

It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on combofix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[flobberangel]

sorry for the late reply

here are the two logs

[Ried]

You took a bit too long to run the tool, flobberangel.

ComboFix should have prompted you that an update was available--did you see such a prompt? If so, what happened?

[flobberangel]

sorry bout that, my bad >_<

here are the two logs, after the update

[Ried]

Hello flobberangel,

I somehow lost the notifications to this thread. Do you still require assistance?

[flobberangel]

yes please

the two logs that you requested were in the previous reply. the attachment function won't let me attach them again

please help me ><

-flobberangel

[Ried]

Let's continue.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
c:\windows\system32\rwnlgyd.dll

Driver::
axzlhzm
vvpqtgpal

NetSvc::
vvpqtgpal
axzlhzm
avbvitqm

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16d3877d-a312-11dd-a3fc-000f1f2914d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6a4010-131a-11de-a4ff-000f1f2914d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e3ec5a0-c4c3-11dd-a450-000f1f2914d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{634760c0-d3b8-11dd-a46b-000f1f2914d7}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"=-
"nlhr"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


--------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

**Note--copy/paste the reports directly into the reply box. Do not attach them unless requested. :)

[flobberangel]

sorry late reply, got very busy the last few weeks

please bear with me ><

here are the reports

combofix report
******
ComboFix 09-04-04.01 - Administrator 2009-04-10 16:22:58.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.849 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fi.exe
.

((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-10 00:01 . 2009-04-10 00:01 <DIR> d-------- c:\program files\iPod
2009-04-10 00:00 . 2009-04-10 00:03 <DIR> d-------- c:\program files\iTunes
2009-04-10 00:00 . 2009-04-10 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-09 23:49 . 2009-04-09 23:50 <DIR> d-------- c:\program files\QuickTime
2009-04-09 23:40 . 2009-04-10 00:03 <DIR> d-------- c:\windows\LastGood
2009-03-28 11:05 . 2009-03-28 11:05 <DIR> d--h----- c:\windows\PIF
2009-03-28 10:37 . 2009-03-28 10:47 81,984 --a------ c:\windows\system32\bdod.bin
2009-03-28 02:05 . 2009-03-28 10:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\BitDefender
2009-03-28 02:05 . 2009-03-28 02:05 <DIR> d-------- c:\documents and settings\Administrator\Application Data\BitDefender
2009-03-27 11:13 . 2009-03-27 11:13 <DIR> d-------- c:\program files\Trend Micro
2009-03-27 09:37 . 2009-03-27 09:36 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-27 09:36 . 2009-03-27 09:42 <DIR> d-------- c:\documents and settings\Administrator\.housecall6.6
2009-03-26 22:48 . 2008-06-19 17:24 28,544 --a------ c:\windows\system32\drivers\pavboot.sys
2009-03-26 22:46 . 2009-03-26 22:46 <DIR> d-------- c:\program files\Panda Security
2009-03-26 18:48 . 2009-03-26 18:48 <DIR> d----c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 23:07 --------- d-----w c:\documents and settings\Administrator\Application Data\uTorrent
2009-04-10 07:00 --------- d-----w c:\program files\Common Files\Apple
2009-04-10 05:41 --------- d-----w c:\program files\Bonjour
2009-03-28 09:05 --------- d-----w c:\program files\Common Files\BitDefender
2009-03-19 23:32 23,400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-04 07:52 --------- d-----w c:\documents and settings\Administrator\Application Data\LimeWire
2009-02-13 04:59 25,992 ----a-w c:\windows\system32\pgdfgsvc.exe
2009-02-10 05:24 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-10 05:24 --------- d-----w c:\program files\Vimicro
2009-02-10 05:24 --------- d-----w c:\documents and settings\Administrator\Application Data\InstallShield
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-12-14 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-12-14 02:18 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino"="c:\windows\Domino.EXE" [2006-06-28 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 c:\windows\BCMSMMSG.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"nlhr"="c:\windows\System32\AdvPack.Dll" [2004-08-03 99840]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ChikkaDefault]
--a------ 2007-08-28 18:11 36864 c:\program files\Chikka Messenger\Chikka v.4\ChikkaLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-04-02 16:11 342312 c:\program files\iTunes\iTunesHelper.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-03-26 28544]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2008-12-26 81920]
S2 avbvitqm;Center Installer;c:\windows\system32\svchost.exe -k netsvcs [2004-08-03 14336]
S2 axzlhzm;Time Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-08-03 14336]
S2 vvpqtgpal;System Windows;c:\windows\system32\svchost.exe -k netsvcs [2004-08-03 14336]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2009-02-09 428160]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - IPOD_SERVICE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vvpqtgpal
axzlhzm
avbvitqm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16d3877d-a312-11dd-a3fc-000f1f2914d7}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ab2dcc0-d3bd-11dd-a46c-000f1f2914d7}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6a4010-131a-11de-a4ff-000f1f2914d7}]
\Shell\AutoRun\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe
\Shell\open\command - e:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\SYS32.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{634760c0-d3b8-11dd-a46b-000f1f2914d7}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e3ec5a0-c4c3-11dd-a450-000f1f2914d7}]
\Shell\AutoRun\command - E:\
\Shell\explore\Command - WScript.exe .\myeclass.vbs
\Shell\open\Command - WScript.exe .\myeclass.vbs
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6b4gidpm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.
.
------- File Associations -------
.
inffile=c:\windows\system32\NOTEPAD2.EXE %1
inifile=c:\windows\system32\NOTEPAD2.EXE %1
txtfile=c:\windows\system32\NOTEPAD2.EXE %1
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 16:25:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\avbvitqm]
"ServiceDll"="c:\windows\system32\rwnlgyd.dll"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\axzlhzm]
"ServiceDll"="c:\windows\system32\rwnlgyd.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vvpqtgpal]
"ServiceDll"="c:\windows\system32\rwnlgyd.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1336)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
.
Completion time: 2009-04-10 16:28:27
ComboFix-quarantined-files.txt 2009-04-10 23:28:19

Pre-Run: 23,228,567,552 bytes free
Post-Run: 23,217,160,192 bytes free

172
*****

Kaspersky website report
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, April 30, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, April 29, 2009 17:17:57
Records in database: 2095547
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 68227
Threat name: 7
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 10:11:29


File name / Threat name / Threats count
C:\WINDOWS\system32\A2FEF6\40E15C.EXE//PE-Crypt.CF/C:\WINDOWS\system32\A2FEF6\40E15C.EXE//PE-Crypt.CF Infected: Trojan-Dropper.Win32.Flystud.ko 1
C:\Documents and Settings\Administrator\Desktop\usb files\April 3.doc .exe Infected: Worm.Win32.Mabezat.b 1
C:\Documents and Settings\Administrator\Desktop\usb files\Auto.exe Infected: Worm.Win32.Mabezat.b 1
C:\Documents and Settings\Administrator\Desktop\usb files\Flashy.exe Infected: Trojan.Win32.Disabler.i 1
C:\Documents and Settings\Administrator\Desktop\usb files\RECYCLER.exe Infected: Trojan.Win32.Disabler.i 1
C:\WINDOWS\psshutdown.exe Infected: not-a-virus:RiskTool.Win32.PsKill.au 1
C:\WINDOWS\system32\A2FEF6\40E15C.EXE Infected: Trojan-Dropper.Win32.Flystud.ko 1
D:\ALBUMS and SONGS\Mamma Mia! - Soundtracks (2008)\07 - Super Trouper.mp3 Infected: Trojan-Downloader.WMA.GetCodec.j 1
D:\ALBUMS and SONGS\Rihanna - Good Girl Gone Bad\05 - Shut Up & Drive.mp3 Infected: Trojan-Downloader.WMA.GetCodec.i 1
D:\EBOOKS\Charles Haanel - The Master Key System.iso Infected: Trojan-Dropper.Win32.VB.bix 1
D:\EBOOKS\Emile Coue - Self Mastery.iso Infected: Trojan-Dropper.Win32.VB.bix 1

The selected area was scanned.
****

so far the computer is working normally, though it doesn't have any antivirus installed right now. im afraid to install an antivirus until the fixes, since installation of antivirus usually causes the virus (if ever its a virus) to do its thing and hide the taskbar and program icons again.

[Ried]

Hi flobberangel,

Your system is still infected and the delay isn't helping matters. Why didn't you run the CFScript I gave you in Post 8?

Let's try this again. I've added the files reported by Kaspersky:

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
c:\windows\system32\rwnlgyd.dll
C:\Documents and Settings\Administrator\Desktop\usb files\April 3.doc .exe
C:\Documents and Settings\Administrator\Desktop\usb files\Auto.exe
C:\Documents and Settings\Administrator\Desktop\usb files\Flashy.exe
C:\Documents and Settings\Administrator\Desktop\usb files\RECYCLER.exe
C:\WINDOWS\system32\A2FEF6\40E15C.EXE
D:\ALBUMS and SONGS\Mamma Mia! - Soundtracks (2008)\07 - Super Trouper.mp3
D:\ALBUMS and SONGS\Rihanna - Good Girl Gone Bad\05 - Shut Up & Drive.mp3
D:\EBOOKS\Charles Haanel - The Master Key System.iso
D:\EBOOKS\Emile Coue - Self Mastery.iso

Driver::
axzlhzm
vvpqtgpal

NetSvc::
vvpqtgpal
axzlhzm
avbvitqm

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{16d3877d-a312-11dd-a3fc-000f1f2914d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4b6a4010-131a-11de-a4ff-000f1f2914d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e3ec5a0-c4c3-11dd-a450-000f1f2914d7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{634760c0-d3b8-11dd-a46b-000f1f2914d7}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"=-
"nlhr"=-

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Post the C:\ComboFix.txt please.

[flobberangel]

here is the log

sorry for the delay

ComboFix 09-05-02.4 - Administrator 05/02/2009 11:59.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.795 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fi.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

FILE ::
c:\documents and settings\Administrator\Desktop\usb files\April 3.doc .exe
c:\documents and settings\Administrator\Desktop\usb files\Auto.exe
c:\documents and settings\Administrator\Desktop\usb files\Flashy.exe
c:\documents and settings\Administrator\Desktop\usb files\RECYCLER.exe
c:\windows\system32\A2FEF6\40E15C.EXE
c:\windows\system32\rwnlgyd.dll
d:\albums and songs\Mamma Mia! - Soundtracks (2008)\07 - Super Trouper.mp3
d:\albums and songs\Rihanna - Good Girl Gone Bad\05 - Shut Up & Drive.mp3
d:\ebooks\Charles Haanel - The Master Key System.iso
d:\ebooks\Emile Coue - Self Mastery.iso
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\ADMINI~1\LOCALS~1\Temp\E_N4\spec.fne
c:\documents and settings\Administrator\Desktop\usb files\Auto.exe
c:\documents and settings\Administrator\Desktop\usb files\Flashy.exe
c:\documents and settings\Administrator\Desktop\usb files\RECYCLER.exe
c:\windows\system32\A2FEF6\40E15C.EXE
d:\albums and songs\Mamma Mia! - Soundtracks (2008)\07 - Super Trouper.mp3
d:\albums and songs\Rihanna - Good Girl Gone Bad\05 - Shut Up & Drive.mp3
d:\ebooks\Charles Haanel - The Master Key System.iso
d:\ebooks\Emile Coue - Self Mastery.iso

.
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
.

2009-04-29 04:14 . 2009-04-29 06:08 -------- d--h--w c:\windows\system32\27565C
2009-04-29 04:14 . 2009-05-02 19:00 -------- d--h--w c:\windows\system32\A2FEF6
2009-04-29 04:14 . 2009-04-29 04:14 -------- d--h--w c:\windows\system32\B0F5EF
2009-04-29 04:14 . 2009-04-29 04:14 -------- d--h--w c:\windows\system32\E28C3C
2009-04-19 08:45 . 2009-05-02 18:32 -------- d-----w c:\documents and settings\Administrator\Tracing
2009-04-19 08:30 . 2009-04-19 08:30 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-19 08:29 . 2009-04-19 08:29 -------- d-----w c:\program files\Microsoft
2009-04-19 08:28 . 2009-04-19 08:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-19 08:28 . 2009-04-19 08:29 -------- d-----w c:\program files\Windows Live
2009-04-19 08:09 . 2009-04-19 08:09 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-19 08:07 . 2009-04-19 08:07 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\iPod
2009-04-10 07:00 . 2009-04-10 07:03 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 07:00 . 2009-04-10 07:03 -------- d-----w c:\program files\iTunes
2009-04-10 06:49 . 2009-04-10 06:50 -------- d-----w c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-02 18:58 . 2008-10-25 23:47 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-04-10 07:00 . 2008-10-25 18:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-10 05:41 . 2008-10-25 18:43 -------- d-----w c:\program files\Bonjour
2009-03-28 17:47 . 2009-03-28 17:37 81984 ----a-w c:\windows\system32\bdod.bin
2009-03-28 09:05 . 2008-11-04 09:11 -------- d-----w c:\program files\Common Files\BitDefender
2009-03-27 18:13 . 2009-03-27 18:13 -------- d-----w c:\program files\Trend Micro
2009-03-27 16:36 . 2009-03-27 16:37 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-27 05:46 . 2009-03-27 05:46 -------- d-----w c:\program files\Panda Security
2009-03-19 23:32 . 2008-10-26 02:54 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-13 04:59 . 2008-11-06 03:06 25992 ----a-w c:\windows\system32\pgdfgsvc.exe
2009-02-07 01:52 . 2009-02-07 01:52 49504 ----a-w c:\windows\system32\sirenacm.dll
.

------- Sigcheck -------

[-] 2005-11-28 16:42 1580544 9103FE3967CC3446A7BDE004ECA0B946 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-22_05.26.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-02 18:07 . 2009-05-02 18:07 16384 c:\windows\temp\Perflib_Perfdata_11ac.dat
+ 2008-10-25 23:29 . 2001-08-23 17:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-12-14 09:18 66912 ----a-w c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino"="c:\windows\Domino.EXE" [2006-06-29 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 avbvitqm;Center Installer;c:\windows\system32\svchost.exe [2004-08-04 14336]
R3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2006-04-25 428160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-20 28544]
S2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [2008-04-24 81920]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ab2dcc0-d3bd-11dd-a46c-000f1f2914d7}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5113aaa0-c033-11dd-a442-000f1f2914d7}]
\Shell\1\Command - F:\Recycle.exe
\Shell\2\Command - F:\Recycle.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycle.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-40E15C - c:\windows\system32\A2FEF6\40E15C.EXE


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {1306AAEA-CE29-45BE-8992-E69C3056C852} = 202.78.97.41 210.4.2.61
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6b4gidpm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-02 12:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-05-02 12:07
ComboFix-quarantined-files.txt 2009-05-02 19:06
ComboFix2.txt 2009-04-22 05:29
ComboFix3.txt 2009-04-10 23:28

Pre-Run: 16,263,475,200 bytes free
Post-Run: 16,337,604,608 bytes free

172

[Ried]

We have new malware that had come onboard in between the time you showed me your ComboFix.txt of 4/10, and now.

This is important - download RootRepeal.zip to your Desktop and extract the compressed file to it's own folder.

Open the folder and doubleclick on RootRepeal.exe to run it.

• Click on the Report tab, and then click on: Scan
• A window opens asking what to include in the scan.
• Check the following boxes then click OK:

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

• You will then be asked which drive to scan.
• Check C: (or the drive your operating system is installed on, if not C)
• Click OK once again.
• The tool will begin scanning and may take a while to complete, so please be patient.

When the scan finishes, click on: Save Report. Save it to your desktop so you may find it easily.

Please attach the report in your next reply.

[flobberangel]

i downloaded the rootrepeal.rar in the said site.
extracted in, and when i ran the rootrepeal.exe, there was a memo which said "could not load kernel, please contact author".

and when i proceed as instructed (click 'report', and then 'scan' and then click the said boxes and drive') the scan proceeds for five minutes and then closes. A .txt document then shows up, named as "Rootrepeal_crash_50209". I ran the scan five times, and there were five variation of this document in the rootrepeal folder.

what should i do?

[Ried]

Please use gmer.exe again.

Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .

• If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.
  
  
  
  Click the image to enlarge it
  
  
  
• In the right panel, you will see several boxes that have been checked. Uncheck the following ...
  • Sections
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark2.txt" or it will save as a .log file which cannot be uploaded to your post.
  
• Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries


Please attach the ark2.txt in your next reply

[flobberangel]

here is the log

[Ried]

Is there any way you can respond quicker? This malware is not going to go away on its own, and the longer you delay, the worse it's going to get. You have several rootkits onboard that have infiltrated your core system files and services. If time is an issue for you, you may want to consider re-formatting the machine and reinstalling Windows.


Once again, read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/361068-no-icons-no-taskbar-only-desktop-image-normal-mode-part2.html#post2121408

Collect::
C:\WINDOWS\system32\rwnlgyd.dll

Folder::
c:\windows\system32\27565C
c:\windows\system32\A2FEF6
c:\windows\system32\B0F5EF
c:\windows\system32\E28C3C

Driver::
avbvitqm
axzlhzm
vvpqtgpal

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5113aaa0-c033-11dd-a442-000f1f2914d7}]

SRPeek::
c:\windows\system32\sfcfiles.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

***************************************************





Refering to the picture above, drag CFScript into ComboFix.exe. Allow ComboFix to update.


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Post the C:\ComboFix.txt for further review. Also - please tell me how the system is behaving. What symptoms are you still experiencing?

[flobberangel]

here is the log

ComboFix 09-05-06.08 - Administrator 05/07/2009 19:54.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1278.912 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fi.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\27565C
c:\windows\system32\27565C\b7e8ce.txt
c:\windows\system32\A2FEF6
c:\windows\system32\B0F5EF
c:\windows\system32\B0F5EF\cnvpe.fne
c:\windows\system32\B0F5EF\dp1.fne
c:\windows\system32\B0F5EF\eAPI.fne
c:\windows\system32\B0F5EF\HtmlView.fne
c:\windows\system32\B0F5EF\internet.fne
c:\windows\system32\B0F5EF\krnln.fnr
c:\windows\system32\B0F5EF\RegEx.fnr
c:\windows\system32\B0F5EF\shell.fne
c:\windows\system32\B0F5EF\spec.fne
c:\windows\system32\E28C3C

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AVBVITQM
-------\Service_avbvitqm


((((((((((((((((((((((((( Files Created from 2009-04-08 to 2009-05-08 )))))))))))))))))))))))))))))))
.

2009-05-04 04:11 . 2009-05-04 04:11 -------- d-----w c:\program files\AskSearch
2009-05-04 04:11 . 2009-05-04 04:11 -------- d-----w c:\program files\AskBarDis
2009-04-19 08:45 . 2009-05-08 03:04 -------- d-----w c:\documents and settings\Administrator\Tracing
2009-04-19 08:30 . 2009-04-19 08:30 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-19 08:29 . 2009-04-19 08:29 -------- d-----w c:\program files\Microsoft
2009-04-19 08:28 . 2009-04-19 08:28 -------- d-----w c:\program files\Windows Live SkyDrive
2009-04-19 08:28 . 2009-04-19 08:29 -------- d-----w c:\program files\Windows Live
2009-04-19 08:09 . 2009-04-19 08:09 -------- d-----w c:\program files\Common Files\Windows Live
2009-04-19 08:07 . 2009-04-19 08:07 -------- d-s---w c:\documents and settings\Administrator\UserData
2009-04-10 07:01 . 2009-04-10 07:01 -------- d-----w c:\program files\iPod
2009-04-10 07:00 . 2009-04-10 07:03 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-10 07:00 . 2009-04-10 07:03 -------- d-----w c:\program files\iTunes
2009-04-10 06:49 . 2009-04-10 06:50 -------- d-----w c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 07:00 . 2008-10-25 18:39 -------- d-----w c:\program files\Common Files\Apple
2009-04-10 05:41 . 2008-10-25 18:43 -------- d-----w c:\program files\Bonjour
2009-03-28 17:47 . 2009-03-28 17:37 81984 ----a-w c:\windows\system32\bdod.bin
2009-03-28 09:05 . 2008-11-04 09:11 -------- d-----w c:\program files\Common Files\BitDefender
2009-03-27 18:13 . 2009-03-27 18:13 -------- d-----w c:\program files\Trend Micro
2009-03-27 16:36 . 2009-03-27 16:37 102664 ----a-w c:\windows\system32\drivers\tmcomm.sys
2009-03-27 05:46 . 2009-03-27 05:46 -------- d-----w c:\program files\Panda Security
2009-03-19 23:32 . 2008-10-26 02:54 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-02-13 04:59 . 2008-11-06 03:06 25992 ----a-w c:\windows\system32\pgdfgsvc.exe
.

(((((((((((((((((((((((((((((((((((((((((( SR_Search ))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
------- Sigcheck -------

[-] 2005-11-28 16:42 1580544 9103FE3967CC3446A7BDE004ECA0B946 c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-04-22_05.26.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-08 01:21 . 2009-05-08 01:21 16384 c:\windows\temp\Perflib_Perfdata_fd4.dat
+ 2008-10-25 23:29 . 2001-08-23 17:00 19429 c:\windows\system32\MsDtc\Trace\msdtcvtr.bat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-12-14 09:18 66912 ----a-w c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-04-02 19:47 333192 ----a-w c:\program files\AskBarDis\bar\bin\askBar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-25 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-25 118784]
"SigmaTel StacMon"="c:\program files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe" [2004-04-29 90169]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"VMSnap3"="c:\windows\VMSnap3.EXE" [2006-08-30 49152]
"Domino"="c:\windows\Domino.EXE" [2006-06-29 49152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"BCMSMMSG"="BCMSMMSG.exe" - c:\windows\BCMSMMSG.exe [2003-08-29 122880]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2005-08-24 61952]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
40E15C.lnk - c:\qoobox\Quarantine\C\WINDOWS\system32\A2FEF6\40E15C.EXE.vir [2009-4-28 1405294]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [3/26/2009 10:48 PM 28544]
R2 Autorun CDROM Monitor;Autorun CDROM Monitor;c:\windows\system32\SupportAppXL\cdrom_mon.exe [12/26/2008 6:48 PM 81920]
S2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [5/3/2009 9:11 PM 234888]
S3 vmfilter303;vmfilter303;c:\windows\system32\drivers\vmfilter303.sys [2/9/2009 10:24 PM 428160]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2ab2dcc0-d3bd-11dd-a46c-000f1f2914d7}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=13928&l=dis
uInternet Settings,ProxyServer = proxy8.up.edu.ph:8080
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
TCP: {1306AAEA-CE29-45BE-8992-E69C3056C852} = 202.78.97.41 210.4.2.61
TCP: {8F01CAFC-1531-4F59-B36D-D1DAC9DC9B95} = 10.32.1.7,10.16.3.143
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6b4gidpm.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.ph/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=13925&gct=&gc=1&q=
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-07 20:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3980)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-05-08 20:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-08 03:08
ComboFix2.txt 2009-05-02 19:07
ComboFix3.txt 2009-04-22 05:29
ComboFix4.txt 2009-04-10 23:28

Pre-Run: 15,740,739,584 bytes free
Post-Run: 15,839,756,288 bytes free

192

[Ried]

We have more to do, but before I continue....

Quote:

Originally Posted by Ried

Also - please tell me how the system is behaving. What symptoms are you still experiencing?

[flobberangel]

sorry bout that >_<

the system is behaving normally still
though i dont have any antivirus installed
the only weird thing that happens is when i open the computer, a program named 40E15.EXE.vir shows up with "open with"window. i dont know what the program is, so i cancel the "open with" window.
Also ask.com replaced my default homepage one time. i changed it to google.com, but just in case, is that some kind of virus or malware

[Ried]

Uninstall AskSBar via Start>Control Panel>Add or Remove programs, but that is the least of your problems right now.

This core Windows file is failing verification, and you don't have a clean copy anywhere onboard:

c:\windows\system32\ sfcfiles.dll

Do you have access to a Windows XP Pro SP2 install disc so we can replace this with a legit copy?


I'd also like to see an fresh gmer scan. Run it again using the same configuration as before. Save it as "ark3.txt" and attach it. Do that now and post it asap.

==========================

After you've returned with the above information, get an AV on there right away. Here is a very good free AV:

Download Avira AntiVir PersonalEdition Classic. Install, update definitions, and run a full system scan. Post the results here when done.